Blogs internet

Blocks the Annoying Iframe

Hey, in the middle of my work finishing the Smells Like Facebook Theme, I realize that somehow my blog always load something from The browser status bar always show “Connecting to” every time I load my blog page. I thought it is my ads script. But after I check, it isn’t. Then scan blog directories and found some malicious script in some files like this

echo “?click=7B42BF“;

Feeling suspicious, I google about it. Then I find this post: I finally know that the script was added somehow to my files by a virus. Yes, it is my own mistake. I often connect to my blog ftp to edit themes in a public computers. After I clean all the script from my blog directories and change my ftp password, the script always get back to the files. I don’t know why. I’m very afraid that Google will index my blog as a malicious site because of that script.

Then I got an idea. I made a very simple plugin that will end the execution of PHP script after the theme footer is loaded. So the malicious script will never be executed and the iframe will never shown in the blogpage. Of course, the plugin doesn’t remove the script, it just prevent the iframe for being shown. You’ll still need to remove the script from your files manually (or if you’ve found tool to do it). This plugin also useful in case the script get back to your files somehow after you removed them.

You can download the plugin here. It is still in beta version, so if you found some bugs, please report it here. Oh yes, you’ll need to make sure that your theme have a call to wp_footer() function right before </body> close tag.

PS: some of Joomla users have found the tool to remove the script, but.. it has a price, not free. Thanks God, I’m using WordPress..

27 replies on “Blocks the Annoying Iframe”

“After I clean all the script from my blog directories and change my ftp password, the script always get back to the files”

This means that the worm has infected your the machine which you are currently using for connecting to the server.


The method they spread the exploit isn’t entirely your fault. The reality is that the server gets rooted, which establishes the exploit. Once someone has access to a server via root, they can scour the remainder of the hosting server and infect any site residing on that server. This is a massive hole with many hosting providers, Dreamhost seeming to be the only one that’s been open about the problem and offering suggestions and solutions.

Once the exploit is placed, this has potential to propagate to client-side machines through any insecure browser (IE, Opera, and now Firefox from what we’ve been seeing).

Chrome appears to be the only browser capable of mitigating the issue for client-side machines at this time, as it shuts the session down immediately upon detecting the malicious code.

The best article regarding this issue is here:

A good solution to consider, if you have access to your server (though the server itself needs to have the rootkits removed) is here:

If you’re on Windows hosting, or with a provider that’s not willing to admit to their servers becoming compromised (regardless of how it happened) — good luck trying to get any host to 1) own up and 2) take action.

So for now, regard filter as only a band-aid precaution to prevent other machines from becoming infected.


I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.

Now that I’ve cleared it, attacks have stopped. So you all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.

Cheers 🙂



It do not return if you have taken care to use FTP only from clean system. Before you use FTP, change your webhost and FTP passwords. To ensure that I use FTP again from clean system, I use live CD of linux and download FTP program and then do any upload download.

This virus attack happens only if you have used FTP from infected system. The webhost system admin sent me log of FTP activity from others uploading files to my host account.

After I take this care, no infection is taking place.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s