Hey, in the middle of my work finishing the Smells Like Facebook Theme, I realize that somehow my blog always load something from http://goooogleadsence.biz/. The browser status bar always show “Connecting to http://goooogleadsence.biz/” every time I load my blog page. I thought it is my ads script. But after I check, it isn’t. Then scan blog directories and found some malicious script in some files like this
Feeling suspicious, I google about it. Then I find this post: http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/. I finally know that the script was added somehow to my files by a virus. Yes, it is my own mistake. I often connect to my blog ftp to edit themes in a public computers. After I clean all the script from my blog directories and change my ftp password, the script always get back to the files. I don’t know why. I’m very afraid that Google will index my blog as a malicious site because of that script.
Then I got an idea. I made a very simple plugin that will end the execution of PHP script after the theme footer is loaded. So the malicious script will never be executed and the iframe will never shown in the blogpage. Of course, the plugin doesn’t remove the script, it just prevent the iframe for being shown. You’ll still need to remove the script from your files manually (or if you’ve found tool to do it). This plugin also useful in case the script get back to your files somehow after you removed them.
You can download the plugin here. It is still in beta version, so if you found some bugs, please report it here. Oh yes, you’ll need to make sure that your theme have a call to wp_footer() function right before </body> close tag.
PS: some of Joomla users have found the tool to remove the script, but.. it has a price, not free. Thanks God, I’m using WordPress..