Hey, in the middle of my work finishing the Smells Like Facebook Theme, I realize that somehow my blog always load something from http://goooogleadsence.biz/. The browser status bar always show “Connecting to http://goooogleadsence.biz/” every time I load my blog page. I thought it is my ads script. But after I check, it isn’t. Then scan blog directories and found some malicious script in some files like this
Feeling suspicious, I google about it. Then I find this post: http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/. I finally know that the script was added somehow to my files by a virus. Yes, it is my own mistake. I often connect to my blog ftp to edit themes in a public computers. After I clean all the script from my blog directories and change my ftp password, the script always get back to the files. I don’t know why. I’m very afraid that Google will index my blog as a malicious site because of that script.
Then I got an idea. I made a very simple plugin that will end the execution of PHP script after the theme footer is loaded. So the malicious script will never be executed and the iframe will never shown in the blogpage. Of course, the plugin doesn’t remove the script, it just prevent the iframe for being shown. You’ll still need to remove the script from your files manually (or if you’ve found tool to do it). This plugin also useful in case the script get back to your files somehow after you removed them.
You can download the plugin here. It is still in beta version, so if you found some bugs, please report it here. Oh yes, you’ll need to make sure that your theme have a call to wp_footer() function right before </body> close tag.
PS: some of Joomla users have found the tool to remove the script, but.. it has a price, not free. Thanks God, I’m using WordPress..
27 replies on “Blocks the Annoying goooogleadsence.biz Iframe”
“After I clean all the script from my blog directories and change my ftp password, the script always get back to the files”
This means that the worm has infected your the machine which you are currently using for connecting to the server.
@Niyaz: Maybe, but it’s not a problem anymore 😀
thank god you’re here
I am also attached by this virus in my blog as well as RSS feed and it is not removing after the plugin. Please help !
Finally we made the removal of that virus script. That script find the googleabsence.biz iframe from your server and remove that. You can get that script from the below link.
Nice post, Jib…
But I’m still waiting for “Smile Like Facebook” theme….
The method they spread the exploit isn’t entirely your fault. The reality is that the server gets rooted, which establishes the exploit. Once someone has access to a server via root, they can scour the remainder of the hosting server and infect any site residing on that server. This is a massive hole with many hosting providers, Dreamhost seeming to be the only one that’s been open about the problem and offering suggestions and solutions.
Once the exploit is placed, this has potential to propagate to client-side machines through any insecure browser (IE, Opera, and now Firefox from what we’ve been seeing).
Chrome appears to be the only browser capable of mitigating the issue for client-side machines at this time, as it shuts the session down immediately upon detecting the malicious code.
The best article regarding this issue is here:
A good solution to consider, if you have access to your server (though the server itself needs to have the rootkits removed) is here:
If you’re on Windows hosting, or with a provider that’s not willing to admit to their servers becoming compromised (regardless of how it happened) — good luck trying to get any host to 1) own up and 2) take action.
So for now, regard filter as only a band-aid precaution to prevent other machines from becoming infected.
I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.
Now that I’ve cleared it, attacks have stopped. So you all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.
i have tried to remove but again that script was automatically generated, what should we do?
mas yang di wp theme direktori apakah sudah diupdate? ato aku masih perlu plugins yang sampeyan buat untuk mengatasi masalah?
It do not return if you have taken care to use FTP only from clean system. Before you use FTP, change your webhost and FTP passwords. To ensure that I use FTP again from clean system, I use live CD of linux and download FTP program and then do any upload download.
This virus attack happens only if you have used FTP from infected system. The webhost system admin sent me log of FTP activity from others uploading files to my host account.
After I take this care, no infection is taking place.
thank you for the information and waiting for a better version
wah 🙂 telat neh kita tau nya
kita sampe pindah hosting lho , gara gara iframe beginian
btw , comment nya kasih notify me dong biar tetep bisa folllow
thanks for the nice info & tools
thanks for plugins
themenya bagus mas sampe sya sedikit bingung diawal-awal:D
makasih pluginnya juga. ditunggu kreasi selanjutnya..
get cheap http://www.authentic-guccipurses.com/ – gucci authentic with low price
thx for the information……
tambah ilmu ne gan…makasih ya, jadi tau kalau ada kejadian kaya gini ne….
untung pake world press juga ne gan….
Just discovered this site thru Google
Semoga semakin sukses..
ditunggu informasi yang lainnya..
keren informasinya. terimakasih.
pempek candy online
keep post guys!
sewa mobil palembang
Thanks for your information..
Very usefull for the reader..