How did I remove the iframe the hackers put on my index pages

I am getting a lot of questions on how to remove the iframes that got hacked onto the index pages, whether index.php, index html, or default.html

It is actually relatively easy, and I'll show you two methods, one with using ftp and the other using your file manager that comes with cpanel.

Hold on... I have a coaching client coming... I'll be back later this afternoon to show you step-by-step with screen shots... check back this afternoon... sorry for the interruption... OK?

Sorry... I am back.

Life got suddenly very busy... my students are suddenly producing results... yaaay.

Anyway, here are two ways to recognize and remove the iframes from your index pages.

Method 1: ftp.

ftp into your your site's root level and sort your documents by date.

locate and remove iframe hack

you may notice that my index.php file was changed on September 5.

This is a blog, and you don't change the index file... ever. so this must have been the hackers' target.

Now, from the result you'll see that this wasn't a manual hacker, it was a little mindless robot sent out the wreak havoc...

locate and remove iframe hack
the above index.php file is the healthy file that comes with your wordpress blog installation. it starts with <?php and ends with ?>

that is how it should be.

locate and remove iframe hack

on the above index.php file, please observe the last line. after the closing ?> there is a whole line of code... that is the code you need to remove.

locate and remove iframe hack

this is how the whole line looks... Save and upload your file and you are done.

The second category of files that got hacked are files that have body tags in them...  they can be both php or html files. the commonality is that they contain a body tag, that looks like this <body>

Sometimes after the <body there is other code, and then it closes with a > tag. It is still a starting body tag.

locate and remove iframe hack

this is (above) how a healthy file looks with body tag

locate and remove iframe hack

this is (above) how an infected file looks with body tag

you need to delete the line that has the iframe tag <iframe src..to <iframe>.

Third important thing: folder or directory dates also change when files change inside. So if you have subdirectories that have a newer date, please check the index files inside... I found 202 infected files, because my sites have many subdirectories.

Good luck, and please let me know how you are making out.
Was this enough information? Please talk back to me.

What do car thieves and computer hackers have in common

I just read a very interesting article, that you want to read...

Though it has nothing to do with the recent iframe hack, because it effected every style of site, not just wordpress blogs, the article has a lot of good points, and you want to read it...

Trust me? Read it. here is the link: http://wordpress.org/development/2009/09/keep-wordpress-secure/