Website infection - iFrame injection - help?

Sharp101

Long story short, my sites hosted at Dreamhost have all been infected by iFrame injection.

Over the weekend I noticed that the /index.php files for my various personal and in-development client Wordpress bases sites had a little snippet of code inserted on line 1. It's some base64 decode in the actual php files that results in an iframe when compiled. Something like this: (iframe tag edited for safety)

[HTML]<ifra me src="http://jfgbs4ygfdgh.co.cc/QQkFBg0MBAEDAAABEkcJBQYNDA0DDQABBg==&quot; width="1" height="1"></ifra me>[/HTML]

I can easily remove the base64 call from each file, but that only lasts a couple hours and it's back again.

How the hell can I get rid of this?

I thought it might have something to do with wordpress security, but I had one non-wordpess based site infected as well (index.php of course). I looked into it a little and I've read it might be the actual shared hosting server that's infected?

I have submitted a ticket to dreamhost support, but I figured I would get some outside advice as well.

bowen

Sounds like someone's got access to your account rather than continual injection. Clear everything, put up a placeholder page, and change passwords (on a different account) and see if that solves your issue.

Once that's done, if you are free and clear for a few hours, go ahead and start reuploading stuff.

Infidel

If one of your sites on DreamHost is exploited to add script to each file, it can access all of your sites because you probably only have one user setup for all your domains like most people.

Review your logs, find the attack vector, take down the software/exploit.