Long story short, my sites hosted at Dreamhost have all been infected by iFrame injection.
Over the weekend I noticed that the /index.php files for my various personal and in-development client Wordpress bases sites had a little snippet of code inserted on line 1. It's some base64 decode in the actual php files that results in an iframe when compiled. Something like this: (iframe tag edited for safety)
[HTML]<ifra me src="
http://jfgbs4ygfdgh.co.cc/QQkFBg0MBAEDAAABEkcJBQYNDA0DDQABBg==" width="1" height="1"></ifra me>[/HTML]
I can easily remove the base64 call from each file, but that only lasts a couple hours and it's back again.
How the hell can I get rid of this?
I thought it might have something to do with wordpress security, but I had one non-wordpess based site infected as well (index.php of course). I looked into it a little and I've read it might be the actual shared hosting server that's infected?
I have submitted a ticket to dreamhost support, but I figured I would get some outside advice as well.
Posts
Once that's done, if you are free and clear for a few hours, go ahead and start reuploading stuff.
Review your logs, find the attack vector, take down the software/exploit.