Removing Recent Code Injection for WordPress

by on 06/27/2012 in Security, Vulnerabilities, WordPress

In the last month or so many WordPress blogs were attacked and as a result most of the blogs were blocked with the infamous attack page (pictured below). This attack is a result of an iframe injection in the following templates;

wp-blog-header.php
wp-config.php
wp-load.php

Fixing Attack Page

These are the core WordPress files and in order to remove the iframe injection you will need FTP access to view and remove the iframe code in each file. The iframe is located at the top of each file and looks like – <— <iframe width=”100″ height=”100″ src=”http://viaieew.tk/75784006.html”></iframe> –>

You should also look for any files that were recently modified. In your FTP you will see a column called “Changed”. Look for any files that were recently modified and open each to see if there’s any injection code.

The injected iframe is due to a vulnerable .js file that can be accessed by the hacker and used to inject code into several WordPress core files.

The good news, WordPress 3.4.1 was released yesterday and once you upgrade the iframe injection will be removed. Unfortunately the actual security issues that were fixed in 3.4.1 do not specifically address this ongoing problem.

From WordPress.og: Version 3.4.1 also fixes a few security issues and contains some security hardening. The vulnerabilities included potential information disclosure as well as a bug that affects multisite installs with untrusted users. These issues were discovered and fixed by the WordPress security team.

It is important to change your FTP and WordPress admin password if you have been attacked. Try using a password with more than 8 characters that has at least one number, an uppercase character and a special character.

4 Responses to “Removing Recent Code Injection for WordPress”

  1. Giedrius Majauskas

    Jun 28th, 2012

    Frank,

    This is quite interesting, as these files are worpdress core ones, and not in wp-content folder (which should be single folder writable by web server). Thus they should not be writable through exploit in wodpress (JS or not), except if someone messed up with file permissions.

    Thus it would be great idea to change FTP/SSH credentials and scan PC with anti-virus. I would guess it might be password sniffing attack too.

    • Frank Jovine

      Jun 28th, 2012

      Giedrius,

      Great point! If those files are chmod 777 that could allow anyone to gain access….Kudos!

  2. Brad

    Jun 28th, 2012

    Some hosting accounts come with a keyword generator, which I find to be easier than coming up with passwords on my own. You should also make it a habit of changing your password on occasion.

  3. John Smith

    Jul 2nd, 2012

    Good to know. The WordPress platform have many bugs, vulnerabilities, this is one of them.