How did I remove the iframe the hackers put on my index pages

I am getting a lot of questions on how to remove the iframes that got hacked onto the index pages, whether index.php, index html, or default.html

It is actually relatively easy, and I'll show you two methods, one with using ftp and the other using your file manager that comes with cpanel.

Hold on... I have a coaching client coming... I'll be back later this afternoon to show you step-by-step with screen shots... check back this afternoon... sorry for the interruption... OK?

Sorry... I am back.

Life got suddenly very busy... my students are suddenly producing results... yaaay.

Anyway, here are two ways to recognize and remove the iframes from your index pages.

Method 1: ftp.

ftp into your your site's root level and sort your documents by date.

locate and remove iframe hack

you may notice that my index.php file was changed on September 5.

This is a blog, and you don't change the index file... ever. so this must have been the hackers' target.

Now, from the result you'll see that this wasn't a manual hacker, it was a little mindless robot sent out the wreak havoc...

locate and remove iframe hack
the above index.php file is the healthy file that comes with your wordpress blog installation. it starts with <?php and ends with ?>

that is how it should be.

locate and remove iframe hack

on the above index.php file, please observe the last line. after the closing ?> there is a whole line of code... that is the code you need to remove.

locate and remove iframe hack

this is how the whole line looks... Save and upload your file and you are done.

The second category of files that got hacked are files that have body tags in them...  they can be both php or html files. the commonality is that they contain a body tag, that looks like this <body>

Sometimes after the <body there is other code, and then it closes with a > tag. It is still a starting body tag.

locate and remove iframe hack

this is (above) how a healthy file looks with body tag

locate and remove iframe hack

this is (above) how an infected file looks with body tag

you need to delete the line that has the iframe tag <iframe <iframe>.

Third important thing: folder or directory dates also change when files change inside. So if you have subdirectories that have a newer date, please check the index files inside... I found 202 infected files, because my sites have many subdirectories.

Good luck, and please let me know how you are making out.
Was this enough information? Please talk back to me.

Author: Sophie Benshitta Maven

Sophie BenShitta Maven is a Renaissance Woman... architect, publisher, photographer, coach, marketer, teacher, but most importantly the archetype of the Pathfinder. This blog is an eclectic collection of articles that I update as in my daily practice as a friend/mentor/coach/entrepreneur I run across an idea, an distinction, a product, a procedure that will cut 'light years' from your learning curve. I won't speak about anything that is not backed by my personal experience... no promoting products that I haven't used... ever. After all I am the Pathfinder... remember? I will always walk before you, so that you know that the path you are shown is reliable and will take you where you intend to go.