Miscellaneous

IFrame code injection by Virus/Trojan, Whats the solution?

By Richard Clark
05-Aug-09
Views: 6849

If you website is attacked and you see malicious code being injected into the script. This article will help you find and get rid of this trojan/spyware

IFrame code injection by Virus/Trojan, Whats the solution? (Page 1 of 1)

Whats the problem ?

Thousands of websites are being attacked on daily basis. Malicious code is being injected in PHP, Javascript and HTML scripts. Website users are downloading malicious code and infecting others.

Who is compromised?

Your computer is compromised, don't blame you hosting company for this.

How does it work ?

When you open a website (most probably in IE) which is infected with malicious code, your browser downloads malicious code (which is a trojan/spyware) from the URL specified in the iframe tag ( some times your browser also opens Acrobat Reader). Most of the anti-viruses don't detect this trojan, some only give a warning but don't block it. So when your computer is infected, a trojan residing in your computer steals your ftp passwords when you type them in your ftp program. Using these ftp accounts, the trojan scans all the directories on your ftp server and find files having any of following words in their name

main
default
index
home

The trojan then injects malicious code into these files and also infects the users visiting your website.

Are you also infected?

To check to see if your computer is infected. You can download HijackThis the free utility from TrensSecure's website. http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

HijackThis is a utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan.

After you have downloaded and performed a scan, locate the highligted entry shown in the image below

Click Here for full preview image

There could be other suspecious entries indicated by HijackThis, but the above entry is sure shot trojan which is infecting you websites.

How to remove this trojan?

Fix all the suspecious entries indicated by HijackThis. If you find an entry ending with AcroIEHelper.dll then you computer is definitly infected with the trojan. Fix this with HijackThis and also remmove AcroIEHelper.dll from your computer. This file will be located in the Acrobat Reader directory. After deleting this file restart your computer and again scan with HijackThis, if you again find this entry and you are unable to remove it. Then you should install a fresh copy of Windows.

After cleaning your computer change your ftp passwords and use the following PHP script to find infected files on your server. The script recursivly scans all the directories and finds malicious code inside PHP, HTML and Javascript files. Upload this script to the root directory of your server and simply run from the browser.
virus-detect.php.txt (rename is to php before uploading it to your server)

Comments

Dániel Dékány
[11-Aug-2009]

Note that this malware can steal FTP passwords used on clean computers too (see: http://soyouwillfindit.blogspot.com/2009/08/virus-steals-ftp-passwords-and-insert.html). This can cause some surprises after cleaning the computer from which the FTP account was used and changing the password... another infected computer on the LAN can still steal the new password.

Kalyan
[13-Aug-2009]

My site also infected with some iframe virus i followed all the above steps. I found the .dll file after scanning with hijackthis software which i removed and after restart of system there is no such file.Thx for this tutorial and let me check whether this solved my problem or not with finger's cross.

Webber
[13-Aug-2009]

Thank you i will try this...

Kaushik
[18-Aug-2009]

i tried this but there is still an 'application extension' by the same name. This does not get deleted. Is this ok..?

subi
[23-Aug-2009]

the script is not working it says Fatal error: Call to a member function read() on a non-object in /home/****/public_html/virus-detect.php on line 5

brian
[26-Aug-2009]

This script never fails.... what is it exactly looking for? I tried "testing" it with a made up iframe and it doesn't detect,...

jimmy
[13-Oct-2009]

this is happening to me also in Leopard (Mac). Can this trojan work in a Mac or is the server (hosting company) the one who is infected? If this may happen in a mac, the trojan must have another extension instead of .dll, doesn't it? thanks

balu
[03-Nov-2009]

hi this is very good article. i keep this article in my fourm also www.hackerswings.com thank you.

boballoo
[07-Nov-2009]

I was also infected with this and had a very tough time getting rid of the AcroIEHelper.dll file and associated registry entries until I changed permissions on all of them. For registry entries right click and choose permissions>allow all For the dll files Right click and choose Properties>Security>allow all (sometimes you will have to click Advanced and then allow all)

Sasikiran
[19-Nov-2009]

#10

Hi, The code you provided is very good except a slight modification. The code is not working as it is. You forgot to read the file before you pass it to preg_match function. I added the missing parts. Add the following code after line 12 //------------------------------------ $contents = ''; $file = fopen($entry, "r"); while(!feof($file)) { $contents = $contents. fgets($file, 4096); } fclose ($file); //--------------------------------

S.Anbarasu
[26-Nov-2009]

#11

I also suffered with the script Injection and this article is very use full to me to protech myself

astpne9
[18-Jan-2010]

#12

Well i have also written an article on my blog. There is a script in PHP which automaticly scans and cleans you hosts and all index files infected with a iframe code. It is easy to use, if you would like you can inlcude it in you site. My post URL is
http://hotfixes.edibra.com/webmasters/clean-iframe-virus

Keyword:
Category:
	Advance Search >>