Hey, in the middle of my work finishing the Smells Like Facebook Theme, I realize that somehow my blog always load something from http://goooogleadsence.biz/. The browser status bar always show “Connecting to http://goooogleadsence.biz/” every time I load my blog page. I thought it is my ads script. But after I check, it isn’t. Then scan blog directories and found some malicious script in some files like this
echo “?click=7B42BF“;
Feeling suspicious, I google about it. Then I find this post: http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/. I finally know that the script was added somehow to my files by a virus. Yes, it is my own mistake. I often connect to my blog ftp to edit themes in a public computers. After I clean all the script from my blog directories and change my ftp password, the script always get back to the files. I don’t know why. I’m very afraid that Google will index my blog as a malicious site because of that script.
Then I got an idea. I made a very simple plugin that will end the execution of PHP script after the theme footer is loaded. So the malicious script will never be executed and the iframe will never shown in the blogpage. Of course, the plugin doesn’t remove the script, it just prevent the iframe for being shown. You’ll still need to remove the script from your files manually (or if you’ve found tool to do it). This plugin also useful in case the script get back to your files somehow after you removed them.
You can download the plugin here. It is still in beta version, so if you found some bugs, please report it here. Oh yes, you’ll need to make sure that your theme have a call to wp_footer() function right before </body> close tag.
PS: some of Joomla users have found the tool to remove the script, but.. it has a price, not free. Thanks God, I’m using WordPress..
27 replies on “Blocks the Annoying goooogleadsence.biz Iframe”
“After I clean all the script from my blog directories and change my ftp password, the script always get back to the files”
This means that the worm has infected your the machine which you are currently using for connecting to the server.
LikeLike
@Niyaz: Maybe, but it’s not a problem anymore 😀
LikeLike
thank god you’re here
thank wordpress
LikeLike
Hi,
I am also attached by this virus in my blog as well as RSS feed and it is not removing after the plugin. Please help !
LikeLike
Hi,
Finally we made the removal of that virus script. That script find the googleabsence.biz iframe from your server and remove that. You can get that script from the below link.
http://joomlaextensions.co.in/
LikeLike
Woooogh,…
Nice post, Jib…
But I’m still waiting for “Smile Like Facebook” theme….
LikeLike
The method they spread the exploit isn’t entirely your fault. The reality is that the server gets rooted, which establishes the exploit. Once someone has access to a server via root, they can scour the remainder of the hosting server and infect any site residing on that server. This is a massive hole with many hosting providers, Dreamhost seeming to be the only one that’s been open about the problem and offering suggestions and solutions.
Once the exploit is placed, this has potential to propagate to client-side machines through any insecure browser (IE, Opera, and now Firefox from what we’ve been seeing).
Chrome appears to be the only browser capable of mitigating the issue for client-side machines at this time, as it shuts the session down immediately upon detecting the malicious code.
The best article regarding this issue is here:
http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml
A good solution to consider, if you have access to your server (though the server itself needs to have the rootkits removed) is here:
http://www.gotroot.com/tiki-read_article.php?articleId=278
If you’re on Windows hosting, or with a provider that’s not willing to admit to their servers becoming compromised (regardless of how it happened) — good luck trying to get any host to 1) own up and 2) take action.
So for now, regard filter as only a band-aid precaution to prevent other machines from becoming infected.
LikeLike
I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.
Now that I’ve cleared it, attacks have stopped. So you all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.
Cheers 🙂
Akash
LikeLike
i have tried to remove but again that script was automatically generated, what should we do?
LikeLike
mas yang di wp theme direktori apakah sudah diupdate? ato aku masih perlu plugins yang sampeyan buat untuk mengatasi masalah?
LikeLike
It do not return if you have taken care to use FTP only from clean system. Before you use FTP, change your webhost and FTP passwords. To ensure that I use FTP again from clean system, I use live CD of linux and download FTP program and then do any upload download.
This virus attack happens only if you have used FTP from infected system. The webhost system admin sent me log of FTP activity from others uploading files to my host account.
After I take this care, no infection is taking place.
LikeLike
thank you for the information and waiting for a better version
LikeLike
wah 🙂 telat neh kita tau nya
kita sampe pindah hosting lho , gara gara iframe beginian
btw , comment nya kasih notify me dong biar tetep bisa folllow
thanks for the nice info & tools
LikeLike
thanks for plugins
LikeLike
themenya bagus mas sampe sya sedikit bingung diawal-awal:D
makasih pluginnya juga. ditunggu kreasi selanjutnya..
LikeLike
get cheap http://www.authentic-guccipurses.com/ – gucci authentic with low price
LikeLike
thx for the information……
nice share,,,,,
LikeLike
tambah ilmu ne gan…makasih ya, jadi tau kalau ada kejadian kaya gini ne….
LikeLike
untung pake world press juga ne gan….
maksih ya..
LikeLike
Just discovered this site thru Google
LikeLike
Semoga semakin sukses..
ditunggu informasi yang lainnya..
LikeLike
keren informasinya. terimakasih.
LikeLike
pempek candy online
LikeLike
keep post guys!
LikeLike
sewa mobil palembang
LikeLike
Thanks for your information..
Very usefull for the reader..
Nice post…
LikeLike
pempek candy
LikeLike