I am getting a lot of questions on how to remove the iframes that got hacked onto the index pages, whether index.php, index html, or default.html
It is actually relatively easy, and I'll show you two methods, one with using ftp and the other using your file manager that comes with cpanel.
Hold on... I have a coaching client coming... I'll be back later this afternoon to show you step-by-step with screen shots... check back this afternoon... sorry for the interruption... OK?
Sorry... I am back.
Life got suddenly very busy... my students are suddenly producing results... yaaay.
Anyway, here are two ways to recognize and remove the iframes from your index pages.
Method 1: ftp.
ftp into your your site's root level and sort your documents by date.
you may notice that my index.php file was changed on September 5.
This is a blog, and you don't change the index file... ever. so this must have been the hackers' target.
Now, from the result you'll see that this wasn't a manual hacker, it was a little mindless robot sent out the wreak havoc...
the above index.php file is the healthy file that comes with your wordpress blog installation. it starts with <?php and ends with ?>
that is how it should be.
on the above index.php file, please observe the last line. after the closing ?> there is a whole line of code... that is the code you need to remove.
this is how the whole line looks... Save and upload your file and you are done.
The second category of files that got hacked are files that have body tags in them...Â they can be both php or html files. the commonality is that they contain a body tag, that looks like this <body>
Sometimes after the <body there is other code, and then it closes with a > tag. It is still a starting body tag.
this is (above) how a healthy file looks with body tag
this is (above) how an infected file looks with body tag
you need to delete the line that has the iframe tag <iframe src..to <iframe>.
Third important thing: folder or directory dates also change when files change inside. So if you have subdirectories that have a newer date, please check the index files inside... I found 202 infected files, because my sites have many subdirectories.
Good luck, and please let me know how you are making out.
Was this enough information? Please talk back to me.