A new malware attack has been making the rounds recently, infecting a number of web servers and sites. If you suddenly find that your website is triggering your anti-virus software and flagging it as a “dangerous site”, the culprit may be the iframe injection hack.
If your site becomes infected, contact both your webmaster and your hosting company immediately.
I’ve been working on fixing this problem for one of my clients, and had to do some digging to find useful information on the cause, what it’s doing, and the solution. I am not a server admin or IT expert, but I hope the following information will help.
The symptom:
You, or anybody else, visits the home page of your site – only to find anti-virus software kicking in and bells going off. You may even find your site flagged in Google results as a “site that may harm your computer”.
Note – this infection can occur no matter who your hosting company is. I have heard from a colleague who encountered this problem that they were hosting with Yahoo, but I’m NOT suggesting Yahoo is particularly vulnerable – just pointing out that if Yahoo servers can get infected, any server can.
What’s going on under the hood:
If you look at the source code of the infected page, you will see that a script has been inserted into the page at the bottom, usually just before the /body tag. The infection usually hits the following page names:
index
default
home
main
config
web
There are a few variations of the script. Examples (in a graphic) :
examples of iframe injection scripts
What they do:
They create a hidden iframe (inline frame) that contains the malicious code. What happens after that I am not sure – I have not experimented with the infection. I assume that if a PC is infected (i.e. it gets past your anti-virus software), it will execute a malicious code originating from another site/server and dump some malware on your PC.
How it spreads:
From what I read, here’s how I understand it. Somebody with an infected PC accesses their website via either their hosting control panel, or by FTP. The script/virus then activates and scans your site for certain page names (index, etc.) and inserts itself into your page.
It is possible it also spreads directly from server to server, or servers are deliberately infected by a hacker.
It is also apparent that the virus, once it gains entry into a web server, can infect ALL websites hosted on that server.
Vulnerabilities:
It appears that this is a Windows Server security vulnerability, and “possibly” more likely to happen to Cold Fusion sites. If your site is using shared hosting, then your site is vulnerable to attack from other infected sites on the same server.
What To Do:
- Make sure to notify your web host that your site has been infected with the iframe injection.
- Do a virus scan of all PCs with control panel and FTP access to your site and make sure they are clean.
- Change your hosting admin, control panel, FTP and database passwords.
- Check the file permissions on your server – most likely the infected files have incorrect security settings (writeable when they shouldn’t be.) Contact your hosting company if you need help with this.
- Delete or rename the infected file (to something like index041109.html.bak)
- Re-upload a clean version of your page.
- Keep checking. I have seen this infection happen to the same site a second time, after the first time I cleaned it up. If your PC is clean, you just keep renaming the bad file and re-uploading a clean file until the hosting company closes the security gap. (Complain loudly if this doesn’t happen within a couple of weeks.)
If you discover your site flagged as possibly dangerous in Google results, clean the site. If you already have Google Webmaster Tools set up for your site, log in and from there you can request a review of your site.
If you do not have Webmaster Tools set up, use your browser to go to:
http://google.com/safebrowsing/diagnostic?site=YourSiteHere.com/
(Inserting your site name of course). The resulting page will give you further information and help for getting your site reviewed and SE results corrected.
From there you can also follow a direct link to Webmaster Tools. If you have not set it up for your site, you really, really should. Get your site cleaned, then get a Google Login, then follow the link after you run the Google diagnostic above. It’s free, very useful, and you won’t get any spam as a result. Note: the Webmaster Tools setup requires that you insert a verification html file into your site – so don’t do the setup until you have cleaned up your site and you’ve got “safe” access to your site via control panel or FTP.
Following are a couple of explanations by others that I found to be particularly helpful:
http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164
http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/
I certainly hope you don’t encounter this problem. But if you do, I hope my information will help you!
on May 6th, 2009 at 12:07 pm
Hi have a NASTY virus on my PC: / Win2000 machine.
Whenever a file is OPENED, if the virus sees:
It inserts an
I have erased the disk gone back to a older copy of my OS – but it is still there.
It is incredible if from dos (cmd) you enter:
Type .htm (or txt or what ever with the
then an iframe is inserted…
– HELP – anyone know a fix / cure?
on May 25th, 2009 at 9:42 am
Hello Raphael,
Apologies for late reply. I was overseas for 3 weeks.
This problem is beyond my technical expertise. But you may need to search all your .htm or .html files for the infection scripts and manually delete the lines of code. I am not sure.
You might have to take your PC to a repair shop for a professional cleaning, and new anti-virus software.
Regards,
Fiona