iframe Hack – A Warning for readers and other bloggers

1571667746_1e97552541Dabbled got hacked a few weeks ago, and I just figured it out. So I’m passing on the warning to you guys.

First off, everyone should do regular spyware checks on your computer. Yes, even if you have a mac–in the forums I was reading there were mac users with these issues.  Yes, even though you already run a virus scan.   There are a bunch of programs out there, but I typically use Spybot Search & Destroy and AdAware. They are both free for personal use. And if you use IE I recommend switching to Firefox. The ad blocking and script blocking add-ons will save you headaches. Also, if you’re using version 8 or below of Acrobat Reader, upgrade to version 9.

Secondly, to my fellow bloggers – check your site and confirm that you haven’t been hacked as well. In my research today I found that this has been a pretty common hack recently, and it’s hidden so you don’t notice it — but you could be spewing icky links to Google or directing your users to malware without even knowing it. If you have a wordpress blog, check your index.php files. Mine all had an iframe to an icky site added to the end of them all. You can also use this site to see if you have hidden evil links: http://www.unmaskparasites.com/.

Note: This was NOT wordpress specific, although alot of WP sites have reported it.

I think I have it all cleaned up now, but my symptoms were:

  • some weird site slowness
  • 2 reports (over 2 weeks) of malware/virus warnings by readers
  • some odd Adobe acrobat errors that I got myself when on the site.

Like I said, not much is really visible, and most of it could be attributed to a flaky link or add in.

Once I got into troubleshooting this morning, I also found:

  • Every index.php file had been modified to include an iframe link at the end (even empty ones and ones in unused themes)  (I manually fixed most of these)
  • extra html files added (maybe index or default, can’t remember)  (deleted these)
  • Modifications to the base wordpress files (a clean install fixes these)
  • I couldn’t find any malware on my computer, but I did have a serious computer crash/issues a while back, which could have been malware related.

I think that was all I found.. hopefully that was the extent.  In addition to fixing the above, I changed ftp and website account passwords (especially since multiple sites under the same account were impacted), as well as WP admin passwords, downloaded several security plugins.

Eep! Hacked!

If you do have the iframe hack that I had (there have also been issues reported where malicious javascript was added, or malicious users or plugins, so check those too), you’ll need to clean it up.
First clean your own computer of malware, as directed above. You may also want to go deeper. If you’re using WordPress, you’ll need to reinstall WP, and manually clean up your wpcontent directory, and check every theme. Download fresh copies of your theme from the source, or edit the files manually. If you have a custom theme, manually delete any changes, or upload from backups. Disable plugins and either re-download or manually check.  In my case, all the bad stuff happened on a single date, so I just looked for file/folders with that date to check.   The database is also vulnerable, although I didn’t see any issues with mine.  One of the links below has a SQL statement you can run to check for some common issues.

If you’re running multiple sites, don’t forget to check them all.  I even had the issue show up on my test blog site.

You’ll want to change all your site related passwords, particularly your FTP password. Make sure you’re using a good password (numbers, letters, special characters, caps). You also want to notify your ISP that you’ve been hacked to see if they can check for anything you’ve missed.

Whew! Not me!

If you don’t currently have a virus, do take a few minutes RIGHT NOW (or asap) to download / backup your entire site. Life will be easier then if you are hit with one.  And if you’re running WordPress, upgrade to the latest version.  There were some security flaws in the previous (this wasn’t my issue, I was on the latest).

Anyway, since I’ve spent much of the day Thursday fixing this site, the Dabbled|Studios site, plus 2 client sites, I was less than productive with anything Halloween related, so sorry bout that.  But this counts as scary, right?? [Actually, stay tuned, your regularly scheduled Halloween Pumpkin Carving post will be up shortly!]

If this happens to you, here are some additional writeups to help, and google “iframe hack” for more information.  I’m sure I haven’t covered it all here, and i’m not a security expert by any means.

Resources in case you’ve been hacked:

http://wordpress.org/support/topic/281767
http://blog.unmaskparasites.com/2009/04/29/another-type-of-iframe-hack-php-exploit/
http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/
http://www.dnxpert.com/2009/07/24/cleaning-up-wordpress-iframe-hack/
http://www.spam-whackers.com/blog/2007/09/27/iframe-hack/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://codex.wordpress.org/FAQ_My_site_was_hacked

WordPress Blog Security

Good luck!

*Photo credit: ‘MUHAHAHAHAHA – black and white’ was taken by chris runoff