Knowledge Base » Blog Archive » Website infected with an IFRAME or malware script

Website infected with an IFRAME or malware script

May 25th, 2009

Websites infected with an IFRAME or malware script

IFRAME and java script based malware infections are growingly common these days. These infections normally occur either through leaked FTP passwords or machines infected with virus / malware that adds these lines of code on files uploaded. Most of the time, it is through a leaked FTP password obtained from an insecure system.

Hackers setup normal looking websites (or use a previously hacked website where the owner is unaware of the malware) and setup expensive keylogging and hacking tools like Mpack. When a user vists the site, it scans the browser for history, passwords and other such critical information. The visitor who is unaware of the keylogger inadvertantly sends passwords and other details to the hacker who then has access to the vistors FTP details. Once the hacker obtains the FTP login details, an automated program or script is then used access the persons website and add hidden iframe or javascript code to the compromised website. Since this gets done through FTP, the user remains unaware of the hack or compromise and no matter what permissions are set, the hacker is able to write to the users website files.

This hacked website is then used to further spread the attack when a visitor opens it and accesses the hidden iframe content. This is a growing issue and thousands of websites are infected almost on a daily basis through this method.

Prevention:
1. Keep your computer operating system up to date at all times. Always download available OS security updates at the earliest.
2. Do not use Internet Explorer to FTP your website. Use a seperate FTP program like Core FTP or WS_FTP
3. Avoid saving passwords in the browser, specially FTP passwords. Do not FTP from a public or insecure connection.
4. Change passwords frequently and set a strong alphanumeric password.
5. Install an antivirus and keep it updated. Avast is a good free antivirus program for home / personal use and can be downloaded from www.avast.com
6. Avoid suspicious websites
7. If you receive an email from an unknown person with an attachment do not open it.

Cleaning up after an infection:
1. Take your site offline and put up a maintenance page on your website to avoid getting it blacklisted by search engines.
2. Format and secure your machine with a reliable install disk or use a fresh installed, OS updated computer with an updated antivirus.
3. Change FTP and other related passwords.
4. Delete all files and upload clean content – verify that the files you are uploading are not infected by checking for unknown Java script or iframe code normally found near the body tag in the code and at the end of the file. If a backup copy is unavailable, check code of files on the server for the same and delete the malware lines of code.
5. Take steps listed in prevention above to avoid repetition of such issues.

Site is black-listed by google / firefox / chrome
1. Follow steps in Cleaning up after infection
2. Follow steps in Prevention
3. Verify that no malware is present in your website
4. Follow http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html

Other related links
http://googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html
http://googlewebmastercentral.blogspot.com/2008/08/hey-google-i-no-longer-have-badware.html