How to salvage your website after iframe attack/iframe injection

Posted on November 9, 2009
Filed Under General | 2 Comments

My earlier post was on good anti-virus softwares that can abrogate malwares/virus. My current post would be on the latest successful trend of hacking called  – “Iframe Attack“.

Why am I penning this? One of the main reasons would be my ordeal in the aftermath of such an attack by a half-baked nitwit. Due to safety reasons I do not want to mention the reason it got attacked and what was the message for me from this. However, I am very eager to help webmasters who would have fallen victim to this dastardly act. I just want to alleviate your consternation caused by hackers who might have planted codes to have your website banned or destroy it completely.

As you already know there are many successful ways of hacking a website. One of them is mysql injection. This is the insertion of vicious codes through your database to 1) destroy your website, 2) steal contact details of users 3) obtain credit card numbers. Luckily, the mysql injection trend is going down these days due to strong servers and well secured programs. But, what is on rise is the “Iframe attack” which is basically insertion of iframe codes in your website files to steal data/destroy. This is more easy and viable for hackers.

Usually you will know that you have been a victim of an iframe attack only after Google blocks your website or you fortunately stumble upon such codes while developing your pages or amending your files. So where does the iframes exist? And how do you know it is a genuine iframe or fake?

How to identify fake iframes?

Usually they look like this – <iframe src=”something.com” width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 >. Notice here that the margin height and margin width is 0. This is the first and only sign to identify its a fake iframe. The url where it says something.com usually is the website address where the hidden files are stored. Once a user is directed there, it will try to download malicious softwares on the computer. Any user who does not have an anti-virus software can be a victim of this. But I believe most of the computers have it already installed.

Another minor point is that such iframe codes are found at the bottom or the top of your website source/file.

Which are the files that get easily affected?

All files that end with .htm get affected. Other files that can be affected are index.php, default.html and header.php or footer.php. If only one of your folder is affected, just download the htm/php files on to your computer and purge it one by one.

What to do if the iframes have entered many folders, apparently all your websites hosted in one server or one account?

Now for this I would be proud to claim that my post is the only one on net to give you a viable response. If you have a joomla or a wordpress site that means there are many .htm and index.php files in many folders. In this case it will be a very very tedious task to go folder by folder to identify the iframes. It might take days. If you are lazy, then you just have to delete the entire folder and download the joomla/wordpress folders once again and install with your database backup. However, there is another solution I can give you on this. I have come across a program developed by this wonderful British citizen, Gerald Thulbourn. I have uploaded this program for you to download. All credits go to Thulbourn for this magic detector that will scan all your files and automatically render the infected pages for you to amend. Please download and unzip the file and upload to your root folder. Once uploaded just browse the file from the website url. The rest is easy. By the way dont forget to delete all your FTP user ids and pws and changing your cpanel password. This is the first response you should take once affected by iframes.

I have had a nightmare after my server and entire web folders were attacked. Luckily, within 24 hours Google detected the worm and informed me. If you have been a victim of this, stop panicking, take a deep breath and read carefully my post ;-) Let me know how it helped you.

Adios ~ SAM

Comments

2 Responses to “How to salvage your website after iframe attack/iframe injection”

  1. Tinu on November 12th, 2009 6:13 pm

    buddyyyyyyy thanksss a lottttttttttttttttttt. 100 kisses! you saved my life. my site got attacked last week by a virus and that tool will help me.

  2. admin on November 13th, 2009 7:19 pm

    Glad it helped you. I will take the thanks, not the kisses, you can keep them :D By the way, there is an easy to identify these iframes and delete. Try to use Shell access from cpanel and identify, delete the iframes through the server.

Leave a Reply