<iframe src="http://xxxxxxxxxx.cn" style="visibility:hidden" />

The codes were added to my wordpress main index.php, my theme’s sidebar.php, wp-admin/default-filter.php and more. The first thing I think of was to contact my webhost about this because I thought the problem is on their side. Well, I am sorry. I did not contact them at last because I realised that the first thing I should do is to remove the codes from my site.

Why do we need to remove them?

• The codes may causes search engine like google thinks that your site is malicious since it does contains malicious codes.
• Besides, the iframes can run some malicious process in the background which you have no idea what it is at all
• Some iframes automatically opens a PDF document using Adobe Reader (my case), which is quite annoying

Completely removing all malicious iframes

Those malicious script can run silently in the background without your knowledge. Fortunately, the malicious codes that were added to my site causes a php fatal error that prevent my site from loading. Of course I am going to remove them right away, but I have no idea how many files were actually being injected. Thus I downloaded a full backup of my wordpress directory from my webhost and extracted it into my local computer.

I opened PSPad (my favourite editor) and start searching the whole wordpress folder for the term “<iframe” using “Search > Search/Replace in Files” feature and I got a number of results. There were roughly 5 files with malicious iframes. I carefully replaced the injected files with their original copy. (Please be very careful with your wordpress version while replacing the core files)

The problem has been solv…not yet. I thought the problem was solved but who knows they returned on the next day. I know it’s time to do some research about this because this time, exactly the same files were being injected.

How the codes are added to my site?

I spent some time googled and found that most people that suffers from this problem has FileZilla installed, including myself. Besides, almost all of them saved their FTP password and account login details in FileZilla itself. After some discussions at forum, the cause of problem might not targeting specificly at FileZilla but generally at FTP client.

The conclusion I got was, my computer is infected with some kind of virus/trojan that automatically scan for FTP account details from FTP client software. The injection process is most probably run by automated bots because exactly the same files were being injected every time.

Prevent future attacks

First thing you should do is change your FTP password. If you don’t, your site will continuously being injected no matter what you do, since someone has already got your password. If you are usng FileZilla to upload files, remove any saved account details and manually login every time. After you have finished uploading, clear all history using Edit > Clear Private Data > Tick all 4 categories > Ok.

My site is free from malicious iframe since then.