I guess many of you already have this issue regarding the iframe malware.
In my researches I found out that this isn’t the hosting Linux/Windows server fault. This issue is provoked by a Windows Virus that sniffs the internet connection for user names and passwords of ftp accounts. Then it silently download every (or only index/default) files from the remote ftp to the infected Windows PC and then adds the iframe or javascript code and in the end it uploads back the files. So..first of all when removing this virus from the remote servers check your computers. The virus is known as : Trojan.Script.Iframe.
After scanning your system carefully, consider to stop using FTP. Download WinSCP and stop storing your passwords locally. Then change your passwords.
To get the list of infected files I use either grep or find under any Shell prompt (you will need ssh access to the server):
grep -Z -R "income" *
101/index.html
or with find:
find $PWD \( -name “*.php” -o -name “*.html” -o -iname “*.htm” \) -exec grep -l “income” {} \;
Also you can check the timestamp of the files and if you see changes of index.html or any other file and you did not do that on purpose then it means you are infected. I`m using the -mtime paramter of find to check for infected files:
find . -mtime -2
Will search all files that were modified in the last 48 hours
Malware Removal
You can remove the malware by just deleting the code (sample above) on the affected files. If you need to cleanup hundred of infected files you can do the following:
perl -pi -e 's/(\)</pre>
<p>Conclusion:</p>
<p>How the hack is done?<br />
1. Client side PC gets infected with the virus from the search results.<br />
2. Virus gets FTP username/password from the FTP clients.<br />
3. Using the username/password, the virus then downloads the index files, adds the iframe code in it and re-uploads it to the web server.<br />
4. The iframe code points to the same virus. So, anyone accessing this website gets infected with the same virus, and it spreads again!!!!</p>
<p># Solutions</p>
<p> 1. Ensure that your code is free from such kind of vulnerabilities.<br />
2. Change all the FTP passwords regularly and keep them safe and use a combination of alphabets + numbers + special characters.<br />
3. Before updating the new password in their FTP clients, perform a full system Virus scan with a reliable virus scanner updated with the latest virus definition files.<br />
4. Also try not to save (remember) the FTP username/password on FTP clients or public computers.<br />
5. Check the website files for any unrecognizable or encrypted codes that are not known to you or is not a part of the website’s function. If found then please follow the above mentioned steps and update the web pages with the proper codes.</p>
<p>Update : In august 2009 I`ve found that even .htaccess files can contain some redirection to malware sites. The bad part is that if you are using FTP not every time you see the .htaccess file because its hidden. </p>
<p>Also..to check if your site contains the iframe virus you can use the Tamper Data plugin with Firefox and while you are browsing your site you can notice "strange" links redirections in Tamper data.</p>
