Iframe code injection

After a long days I am back for blog post. Last one month I was very much irritated with the problem occurred in some of my client website. In a Sunday morning while I was sleeping one of my client ranged me and asked me to check her website as she got a mail from google that her website is spreading malware. I got confused as I had never faced this kind of problem. I started checking the website. But the antivirus in my Laptop didn’t allowed me to open the site at all. Then I decided to go to my office to check the situation.

In my office I checked the site thoroughly(OMG, I was able to open the site in my office). I found iframe code with hidden visibility was inserted in some pages. To be more specific index pages. I checked all the index pages in office PC, deleted the infected pages in the server and uploaded the pages from PC. Checked, cleaned all the html, php, temporary files. Almost near about afternoon I was back to my home while thinking how this happened.

Iframe Injected

Iframe Injected

Next Morning after arriving in the office I started checking the website and I found it was again infected by the hidden iframe. Site url was different as earler it was .cn and next day it was .ru I was upset about how to fix the things. Believe me or not in the last one month this site got infected 27 times. Our team had experienced the same attack for 5 more site. It was a horrible experience for us.

We had done lot of googleing to find out the preventive measurement. We found out lots of information regarding this. Some of them are good and some of them are misleading too. So here I like to point out some effective ones only.

  1. You should have good antivirus installed in your system from where you access web. I am using avast free edition and it works fine for me.
  2. Please check your websites on a regular basis. If you see if any web page with a blank section in the top them be almost sure that it is infected. Your antivirus should give you warning.
  3. If you find any of your website get infected then start following the next steps.
  4. First of all scan your machine with the antivirus. A boot time scan is more preferable.
  5. Replace all the pages in the website using a local copy from your system. If the web site is too big to repalce then try to repalce all the pages with name index. Then check the site again.
  6. Once the site is cleaned change the ftp details for the site and if possible do the same for the other sites whose details are kept in your ftp application.
  7. Keep checking the site in a short span of interval.

You should also check your site in google too. If google find out some problem with your site they may have shown a warning message like “This site may harm your computer”. Another way to check your site is
http://www.google.com/safebrowsing/diagnostic?site=http://www.yourdomain.tld


If you find that google is showing the warning message for your site you can request Google for a recheck via Google Webmaster Tool. But you should check the site twice after cleaning and then request for review.

However I have designed a code in php for checking mainly the index pages in the website. Here is the code.

  1. <?php
  2. // page-checker.php
  3. $path = ".";
  4. $baseDir = basename(dirname($_SERVER[‘PHP_SELF’]));
  5. $WebPath = ‘http://’.$_SERVER[‘HTTP_HOST’].‘/’.$baseDir;
  6. $content_pattern = "iframe";
  7. echo "Checking files for IFRAME Infection<br/>";
  8. $dir_handle = @opendir($path) or die("Unable to open $path");
  9. echo "Directory Structure of $WebPath<br/>";
  10. navigate($dir_handle, $path, );
  11. function navigate($dir_handle,$path, $WebPth)
  12. {
  13.    global $WebPath, $content_pattern;
  14.    echo "<ul>";
  15.    while (false !== ($file = readdir($dir_handle)))
  16.    {
  17.       $dir = $path.‘/’.$file;
  18.       if(is_dir($dir) &amp;&amp; $file != ‘.’ && $file !=‘..’ )
  19.       {
  20.          $handle = @opendir($dir) or die("undable to open file $file");
  21.          $WebRef = $file.‘/’;
  22.          navigate($handle, $dir, $WebRef);
  23.       }
  24.       elseif($file != ‘.’ &amp;&amp; $file !=‘..’)
  25.       {
  26.          if(preg_match(‘/^index+/’,$file))
  27.          {
  28.             $ChcekFlag = FALSE;
  29.             echo "<li>";
  30.             echo "<a href=’".$WebPath.$WebPth.$file."’>".$WebPth.$file."</a><br />";
  31.             $handle = @fopen($dir, "r");
  32.             if ($handle)
  33.             {
  34.                while (!feof($handle))
  35.                {
  36.                   $content = fgets($handle);
  37.                   if(stristr($content, $content_pattern))
  38.                   {
  39.                      $test = stristr($content, $content_pattern);
  40.                      echo $test."<br />";
  41.                      $ChcekFlag = TRUE;
  42.                   }
  43.                }
  44.             }
  45.             fclose($handle);
  46.             if($ChcekFlag)
  47.             {
  48.                echo "<font color=’red’>Infected</font><br />";
  49.             }
  50.             else
  51.             {
  52.                echo "<font color=’green’>Clean</font><br />";
  53.             }
  54.             echo "</li>";
  55.          }
  56.       }
  57.    }
  58.    echo "</ul>";
  59. }
  60. ?>

you can put this code in the root level of your website (in www or public_html or httpdocs). Browsing this page will show all the index pages with status of it.

Current I am working upon extending the code so that it can clean the infected pages automatically. Hopefully I will post it within few days.

11 Comments

  1. shabby says:

    WOW THATS GRATTT

  2. Yogesh Goel says:

    Hi,

    Have added to my blog

    http://www.ygoel.com/

    the write-up & all the photographs of the Kolkata Bloggers Meet 2009.

    Do take some time to visit and do not forget to put down your inputs for the same.

    Regards & Love,
    Yours ever in blogging,

    Yogesh Goel
    ygoel.com

  3. Sunny says:

    All credits to you – same problem happened to me too… & now I am exhausted. I uploaded your file at my root dir

    but its giving error

    Checking files for IFRAME Infection
    Directory Structure of http://www.ampiflow.com/

    Fatal error: Call to undefined function list_dir() in /home/lena9164/public_html/remove.php on line 22

    http://www.ampiflow.com/remove.php here is file,

    Could you please suggest what could be prob ?

    Many Many thanks n advance

  4. Susenjit says:

    I am really sorry for the mistake. the function list_dir() should be changed with navigate(). I have already made that correction. You can correct your code as:
    On line 22
    list_dir($handle, $dir, $WebRef);
    replace with –
    navigate($handle, $dir, $WebRef);

    Thanks for pointing out such a crusial mistake.

  5. Sunny says:

    Superb , Thanks Susenjit.. Any idea how they get access to our ftp ?

  6. Sunny says:

    Superb , Thanks Susenjit.. Any idea how they get access to our ftp ? Is this any trojan or spam … do you recommend any tool or anti-virus to stay away from this ?

    Your help solution is outstanding.

  7. Susenjit says:

    I am not sure about how they get access of ftp details but there may be possibilities. The trojan [HTML:Iframe-inf] either access the file where the ftp application stores ftp access details of different site or they hack these information at the time when we type them while connesting via ftp application.

    Since I am using avast free edition(version 4.8) it aborts the connection while opening a webpage with iframe. Also it detects the malware download.

  8. Robert Mann says:

    I never would have thought of that

  9. […] your site using Google Diagonestic tool for safe browsing mentioned in my earlier post – Iframe code injection. In this kind of attack none of your web pages get infected but your .htaccess file gets modified […]

  10. I seriously enjoyed reading through this specific post. I am going to be coming back in order to read even more fascinating opinions. With thanks.

  11. Amos Kofahl says:

    I’m a huge fan of this website and I read it regularly. Keep up the good work!

Leave a Reply