How To Completely Remove All Malicious Iframes on Your Website Forever

Posted in Web Development on 6 August 2009 4 comments

Last month, my site was injected with some malicious iframes linking to china websites which looked like below:

<iframe src="http://xxxxxxxxxx.cn" style="visibility:hidden" />

The codes were added to my wordpress main index.php, my theme’s sidebar.php, wp-admin/default-filter.php and more. The first thing I think of was to contact my webhost about this because I thought the problem is on their side. Well, I am sorry. I did not contact them at last because I realised that the first thing I should do is to remove the codes from my site.

Why do we need to remove them?

  • The codes may causes search engine like google thinks that your site is malicious since it does contains malicious codes.
  • Besides, the iframes can run some malicious process in the background which you have no idea what it is at all
  • Some iframes automatically opens a PDF document using Adobe Reader (my case), which is quite annoying

Completely removing all malicious iframes

Those malicious script can run silently in the background without your knowledge. Fortunately, the malicious codes that were added to my site causes a php fatal error that prevent my site from loading. Of course I am going to remove them right away, but I have no idea how many files were actually being injected. Thus I downloaded a full backup of my wordpress directory from my webhost and extracted it into my local computer.

I opened PSPad (my favourite editor) and start searching the whole wordpress folder for the term “<iframe” using “Search > Search/Replace in Files” feature and I got a number of results. There were roughly 5 files with malicious iframes. I carefully replaced the injected files with their original copy. (Please be very careful with your wordpress version while replacing the core files)

The problem has been solv…not yet. I thought the problem was solved but who knows they returned on the next day. I know it’s time to do some research about this because this time, exactly the same files were being injected.

How the codes are added to my site?

I spent some time googled and found that most people that suffers from this problem has FileZilla installed, including myself. Besides, almost all of them saved their FTP password and account login details in FileZilla itself. After some discussions at forum, the cause of problem might not targeting specificly at FileZilla but generally at FTP client.

The conclusion I got was, my computer is infected with some kind of virus/trojan that automatically scan for FTP account details from FTP client software. The injection process is most probably run by automated bots because exactly the same files were being injected every time.

Prevent future attacks

First thing you should do is change your FTP password. If you don’t, your site will continuously being injected no matter what you do, since someone has already got your password. If you are usng FileZilla to upload files, remove any saved account details and manually login every time. After you have finished uploading, clear all history using Edit > Clear Private Data > Tick all 4 categories > Ok.

My site is free from malicious iframe since then.

 

Posted by Zen on 6 August 2009 • 10,881 visits 4 comments
Tags : , ,


or Subscribe to specific category only :




  - 4 Comments


Prasanna DV says:

Hello,

My site http://www.innovisiontouch.com is on continuous attack or iframe virus, because of which the google is showing a message “This site may harm your computer”. Kindly help. I dont want to get black listed.

Awaiting your reply,
Prasanna

zen says:

@Prasanna DV, did you even read my post above? Hmm..

kenshin says:

nice post your post is same with my problem and i follow your post thanks..

Rockville Homes for Sale says:

after injection is not enough only changing ftp passwords , try to change mysql password too.

Leave a Reply

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Previous Post
«
Next Post
»