Iframe attack on websites

If you are regular visitor of my site, you might see some ups and downs in my blog. Last couple of weeks I am trying to fix the problem and solution. Even I have changed my server. Tried a lot of security fixes. But all become fail.

What was the problem?

The problem was inserting iframe (inline frame) html tag to my blog. It came automatically and I could not find any reason how it can insert in the html. If you are using wordpress as your blog, it will try to insert iframe on each index.php files. If it is successful, an iframe html come on your web pages. Most of the cases, it is visibly hidden. Otherwise your webpage will produce syntax errors. It is not only for wordpress blogs, but also it may affect plain static html sites or other markups. If it is affected to a static site, then the google will produce the warning that the site is affected. It looks like something like this


(it may vary depends upon you os / browser) .

Each time when I found a problem I will upload the files from my PC. After some hours I will find again that it is get affected. Too annoying right?

The solution

I made a lot of researches, in the first time I thought that it was a server problem, as they were changing their server machines. So I thought like that. After they get rid of with the problem, myself tried to find the problem. Later I found that it is called Iframe attack.

I googled for it and found that it is coming from my PC only. Yes the culprit was my local machine. My windows machine was affected with some Malware and it is doing all these nasty things. If you are using ftp it will intrude through that.

I immediately switched over to Ubuntu and cleaned up my web folder. I deleted all the files and uploaded latest wordpress version. I have changed my ftp username and password. Before that I took back up of my theme also. Now I become  an Ubuntu fan. No more windows. Yes there is another reason for using Ubuntu ;).

I never faced the Iframe attack after that. Waiting for some feedback. Have you ever faced this type of problem. Please put some comment or share with me through twitter.

Tags: , , ,

10 Responses to “Iframe attack on websites”

  1. Nitesh patel Says:
    August 15th, 2009 at 1:45 pm

    nice sir actually my friend was also having the same problem but can’t guess this thanks for sharing this will benefit many

  2. Thomas J. Raef Says:
    August 27th, 2009 at 2:34 pm

    It’s great that you make this publicly available. We’ve found that even some Mac users are being affected by the same virus (which they all deny at first). Think of all the people who are in corporate jobs that can’t switch to Ubuntu. They’re stuck with Windows.

    For these people we’ve found that if they use a different anti-virus program from what they’re currently using, the new AV can find the virus and eliminate it.

    From what we’ve been told, the AV vendors have a difficult time keeping up with all the new variants of viruses so they started creating generic signatures which are ill-equipped to block the many variants of viruses.

    So a PC user visits a legitimate site, gets infected and their AV doesn’t know how to detect it. Then the virus learns what AV is installed and hides from it.

    That’s why installing a different AV has worked well. Or, if possible, they could also switch to Ubuntu as you did.

  3. observer Says:
    August 27th, 2009 at 7:01 pm

    Though that specific virus might not work on some UNIX based OS, you still can get compromised when using FTP since FTP is a protocol which in fact transfers your login credentials (including, yes, your password!) in an UNENCRYPTED (plain) way. Only thing you need to capture this behaviour is a tool like Wireshark. There is alternatives like Secure FTP (or using SSL), though.

  4. James Says:
    September 4th, 2009 at 8:22 pm

    I posted some steps to prevent this type of attack.

  5. jerem Says:
    September 11th, 2009 at 3:52 pm

    After the attack, some software can hepl you to clean your server by renooving the malicious iframe automaticly, the one i use is not free, but similar free appliz start to be disctribute by some developpers.
    Fill free to take off the link if you don’t want promote on your site. http://kawablog.com/scarabox/product.php?id_produit=1&id_rub=2
    good luck with this mess !

  6. Harsh Agrawal Says:
    September 17th, 2009 at 8:31 pm

    Damn i never realize infected system can also be a big reason for iFrame insertion… Time to strengthen my Anti Virus.

  7. Sid Says:
    September 18th, 2009 at 6:21 pm

    My frns windows mobile blog ws infected with a iframe injection attack.

  8. bbsnetting Says:
    September 21st, 2009 at 5:16 pm

    The first thihThe first thing you will notice is your web is loading slow.First thing change your FTP Password with a strong one. Then go to your web and in the coding find the script and remove it Check all the web pages in your web sites.Update them .Change password like this two three times. Don’t keep your password the script will find it.

  9. chaitu Says:
    October 20th, 2009 at 5:23 pm

    is it possible to easily uninstall ubuntu …… :(

  10. darshana Says:
    February 23rd, 2010 at 9:04 pm

    i am the student of k.k.wagh polytechnic me & my group members tejashree gawade& sagar vaishnav find sollution for this on server side…….