I guess many of you already have this issue regarding the iframe malware.
In my researches I found out that this isn’t the hosting Linux/Windows server fault. This issue is provoked by a Windows Virus that sniffs the internet connection for user names and passwords of ftp accounts. Then it silently download every (or only index/default) files from the remote ftp to the infected Windows PC and then adds the iframe or javascript code and in the end it uploads back the files. So..first of all when removing this virus from the remote servers check your computers. The virus is known as : Trojan.Script.Iframe.
After scanning your system carefully, consider to stop using FTP. Download WinSCP and stop storing your passwords locally. Then change your passwords.
To get the list of infected files I use either grep or find under any Shell prompt (you will need ssh access to the server):
grep -Z -R "income" * 101/index.html
or with find:
find $PWD \( -name “*.php” -o -name “*.html” -o -iname “*.htm” \) -exec grep -l “income” {} \;
Also you can check the timestamp of the files and if you see changes of index.html or any other file and you did not do that on purpose then it means you are infected. I`m using the -mtime paramter of find to check for infected files:
find . -mtime -2
Will search all files that were modified in the last 48 hours
Malware Removal
You can remove the malware by just deleting the code (sample above) on the affected files. If you need to cleanup hundred of infected files you can do the following:
perl -pi -e 's/(\)</pre> <p>Conclusion:</p> <p>How the hack is done?<br /> 1. Client side PC gets infected with the virus from the search results.<br /> 2. Virus gets FTP username/password from the FTP clients.<br /> 3. Using the username/password, the virus then downloads the index files, adds the iframe code in it and re-uploads it to the web server.<br /> 4. The iframe code points to the same virus. So, anyone accessing this website gets infected with the same virus, and it spreads again!!!!</p> <p># Solutions</p> <p> 1. Ensure that your code is free from such kind of vulnerabilities.<br /> 2. Change all the FTP passwords regularly and keep them safe and use a combination of alphabets + numbers + special characters.<br /> 3. Before updating the new password in their FTP clients, perform a full system Virus scan with a reliable virus scanner updated with the latest virus definition files.<br /> 4. Also try not to save (remember) the FTP username/password on FTP clients or public computers.<br /> 5. Check the website files for any unrecognizable or encrypted codes that are not known to you or is not a part of the website’s function. If found then please follow the above mentioned steps and update the web pages with the proper codes.</p> <p>Update : In august 2009 I`ve found that even .htaccess files can contain some redirection to malware sites. The bad part is that if you are using FTP not every time you see the .htaccess file because its hidden. </p> <p>Also..to check if your site contains the iframe virus you can use the Tamper Data plugin with Firefox and while you are browsing your site you can notice "strange" links redirections in Tamper data.</p>
Related posts:
August 4th, 2009 at 4:12 pm
Hi,
This is the first answer and first tip that I have found how can I delete malware from my site.
Thanks, you are the best!
I have infected all index.html files inside my Joomla, index.php was infected, too, but I have replace it with original.
The problem is, that I am not so good in coding and I am learning.
Also, the problem is that I do not understand your advice. Where to insert this:
perl -pi -e ‘s/(\)<iframe src=\".*/$1/' index.html
perl -pi -e ’s/\eval\(String\.fromCharCode\(.+\//g’
so that malware in all my index.html is deleted?
Also, how can I find it? I have seen that you have inserted codes for find it, but I do not know where to insert it…
Can you PLEASE help me?
That would be MUCH APPRECIATED!
THANKS!
August 5th, 2009 at 4:21 am
These commands will help you to remove all infected code from your .htmls.
August 5th, 2009 at 8:05 pm
Hi,
Sorry for disturbing you again. I understand that this codes are for remove, but how to use them? Where to insert them?
Is there any application that I need to insert this codes? Some searc and remove or do I innsert them somewehre inside WinSCP?
Thanks!
August 6th, 2009 at 6:32 pm
Sorry I should have mentioned that. You will need shell access to your server to launch those commands.
August 14th, 2009 at 11:16 am
Here is the solution
http://www.qualitycodes.com/tutorial.php?articleid=29
September 12th, 2009 at 3:50 am
great post.
I think we are having the same issue right now with one of our client’s site
October 14th, 2009 at 7:11 am
How to check it on windows server where asp.net files are .
As in php , these malwares sometimes create .php file in wriable folders but in windows server what do we check
October 14th, 2009 at 4:15 pm
Maybe you can use the findstr command and look for those strings. Also..best method remains the timestamp of the files.
October 26th, 2009 at 8:04 am
We have a websites hosted on Windows server which are in ASP.NET .
on regular basis our sites get infected with Malware attacks like IFRAME Malware . Also sometimes these Malwares just eat of the codes on the pages .
I have read about these but they are mostly in Linux server with PHP websites . As I had seen here sometimes they keep php files and htaccess in writable folders also .
Can you advice what and how to clean them on windows server .
Thanks Again
November 6th, 2009 at 2:26 am
Thanks for the commands.
The source of Infection , can just not be a programmer’s infected PC. I’ve seen hackers compromising the server (ftp) and then loads it with scripts which insert iframe codes in files. Further, these scripts even capable of detecting the ftp passwords, even if you change it. Location of these scripts are always above the public_html folder, ie, they are never going to place them in open.
Thanks Again
April 21st, 2010 at 11:27 am
hello,
we have our website which is infected , when we try to open our ftp in mozilla firefox, its giving site is infected ,
how to solve this problem,
please help
April 21st, 2010 at 11:29 am
our website code is in asp.net
April 21st, 2010 at 9:48 pm
Just use the FTP account and verify the time stamp of the files. If you notice changes in the last X days you need to verify those files.
April 22nd, 2010 at 10:45 am
thanks for replay,
i didnt get how to verify the time stamp of the files,
can u guide me hoe to do tht plz.
April 23rd, 2010 at 4:51 pm
If you use Windows Commander or Total Commander and go into your document root directory you will see the date that each file have. If you notice differences between the dates then you need to check those files.