{SOlVED} removing Ifram viruses in pages

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
bydosangel
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Wed Nov 28, 2007 8:46 pm

{SOlVED} removing Ifram viruses in pages

Postby bydosangel » Wed Apr 22, 2009 11:23 am

hello
I have found that lots of websites Hacked by an Ifram code in the bottom of every page..
In fact, i found the solution "no did, FOUND" :D :D
1. The first thing to do to prevent these kinds of attacks is to change your ftp, control panel and database passwords as soon as possible.
2. Change the file permissions in your server to the maximum secure mode.
3. Download all your files from the server and check for infections. Clean the infected files.
4. Using a good antivirus software, scan and clean every PC you use for logging into your hosting server.
5. Never use public computers to access your server.

How do I clean infected files?

Use these regular expressions to search for all pages containig the malicious code and replace it with space:

<iframe src=\”http://[^"]*” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>

echo \”<iframe src=\\\”http://[^"]*\” width=1 height=1 style=\\\”visibility:hidden;position:absolute\\\”></iframe>\”;

You may have to write a script to automate this for all the files in the server.

I have cooked up a php script that can help you find out the infected files.
Download the file http://www.diovo.com/wp-content/uploads/2009/04/clean.php.txt, save it as clean.php (it is currently clean.php.txt) and upload it to the root folder of your website.

You may want to change some hardcoded values inside the file.

Then login to the url: http://www.yourdomain.com/clean.php?s=i ... p&c=iframe

The s parameter specifies the file name to search for and the c parameter specifies the text to search for inside the file. The results will be something like:

Clean hidden iframes

It will list all the ”index.php” files in your website and if any of the files contains the given string, it will print the part with the string. In the above screenshot, you can see that one file is infected.

Note that the script will not remove the iframes from your files. Automated cleaning could break some of your websites. So as of now you will have to clean the files manually.

Faiz has written an advanced ASP.Net script for this, and it can be found here.

Will my search engine rankings be affected by this attack?

Try to be fast with these steps because if a visitor see the message “This site may harm your computer” pop up when (s)he try to access your website/blog, (s)he may not return again. Remember that if the security of your website is compromised, it can affect the search engine rankings of the website. Besides, it may pave way for more sophisticated attacks.

Google will mark your site in it’s search results with a warning: “This site may harm your computer”.

Use the following link to see what google thinks about your website (give the url of your site instead of shopfloorbd.co.uk):

http://www.google.com/safebrowsing/diag ... orbd.co.uk

As mentioned above, you must remove the malware from your local machine using some antivirus software. AVG sees it as “Trojan Horse Downloader” and NOD32 sees it as “JS/Kryptik.B trojan”.

Note that when visiting an infected site, some antivirus softwares prompt you that “Trojan Horse Downloader”, an exe-file is trying to get loaded. Once the exe infects your machine, it will infect your server too.

Here are some more code samples caught from the wild:



Moderator note: Don't put links from malicious sites here, that only helps them!

bunteezone
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Apr 23, 2009 4:06 pm

Re: {SOlVED} removing Ifram viruses in pages

Postby bunteezone » Thu Apr 23, 2009 4:24 pm

Thank you for the directions. Our website is hacked with the same iframe on each webpages. We have tired the clean.php but it does not shows any file listing. Please help!!! We have put all our efforts on designing the website www.sharonministires.in

bydosangel
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Wed Nov 28, 2007 8:46 pm

Re: {SOlVED} removing Ifram viruses in pages

Postby bydosangel » Thu Apr 23, 2009 6:07 pm

http://www.yourdomain.com/clean.php?s=i ... p&c=iframe
"don't forget to change "yourdomain.com"

bunteezone
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Apr 23, 2009 4:06 pm

Re: {SOlVED} removing Iframe viruses in pages

Postby bunteezone » Fri Apr 24, 2009 9:50 am

It works!!! I have manually removed the <iframe> codes from all the html and php files, it tooks me several hours as there were 100s of files.

Now the website works fine but, I see the dates are not displaying properly, it show DATE_FORMAT_LC, LAST_UPDATED2 also the in Who's online it does not show the count. Please refer the website http://www.sharonministires.in and advise. I really need you HELP!!!

owetr
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Sun Apr 12, 2009 8:32 pm

Re: {SOlVED} removing Ifram viruses in pages

Postby owetr » Mon Apr 27, 2009 10:05 pm

Nice share thank you very much and i am still working on it :((

bigjules
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 137
Joined: Mon Oct 31, 2005 8:40 pm

Re: {SOlVED} removing Ifram viruses in pages

Postby bigjules » Mon May 18, 2009 4:22 pm

Hi,

I don't know how to find out which malware or virus my domain has. My site is apparently infected as well.

1)Is there a quick bulleted list of files I need to scan through?

2)A preferred way to mass scan each file and what editor to use? I don't have dreamweaver or any sort of professional html/php editor on my laptop.

3)How can I prevent or should be concerned about someone just hacking this again?

Thanks so much, IF YOU WANT TO SEE THE SITE AND I UNDERSTAND THAT WE DO NOT WANT TO ADVANCE MALWARE ********* SO PLEASE UNDERSTAND THAT************ WWW.JDEALS.COM

casper_tm
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Aug 19, 2010 2:40 pm

Re: {SOlVED} removing Iframe viruses in pages

Postby casper_tm » Sun Sep 04, 2011 6:44 am

bunteezone wrote:It works!!! I have manually removed the <iframe> codes from all the html and php files, it tooks me several hours as there were 100s of files.

Now the website works fine but, I see the dates are not displaying properly, it show DATE_FORMAT_LC, LAST_UPDATED2 also the in Who's online it does not show the count. Please refer the website http://www.sharonministires.in and advise. I really need you HELP!!!


Just use Notepad++ and option Find and Replace. Find the code and replace with space.

Regards

lordphoenix
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Jul 31, 2012 11:44 am

Re: {SOlVED} removing Ifram viruses in pages

Postby lordphoenix » Tue Jul 31, 2012 11:45 am

Thank you very much!!!

sarrazola
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Aug 29, 2012 5:55 pm

Re: {SOlVED} removing Ifram viruses in pages

Postby sarrazola » Wed Aug 29, 2012 5:55 pm

Thank you so muchhhhhhhhhhhhhhhhhh, you are a genius ! :D

jaspujari
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Dec 10, 2012 1:16 pm

Re: {SOlVED} removing Ifram viruses in pages

Postby jaspujari » Mon Dec 10, 2012 1:27 pm

Run the following script in the root dir of your Joomla site.
It will clean all the files with the iframe infection, typically with one line appended to all .js files.
=================
#!/bin/bash
for fl in $(grep -rl 'document.write..<iframe src="http://.*<.iframe>..' .); do
sed -i 's/document.write(.<iframe src="http:\/\/.*<\/iframe>.)/ /g' $fl
echo "Fixed " $fl
done
=================
take care of permissions after the cleanup to stop future infections.

cheers
J

click2shop
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Mon Sep 22, 2008 10:56 am
Location: Randfontein SOUTH AFRICA
Contact:

Re: {SOlVED} removing Ifram viruses in pages

Postby click2shop » Fri Dec 21, 2012 9:19 am

jaspujari wrote:Run the following script in the root dir of your Joomla site.
It will clean all the files with the iframe infection, typically with one line appended to all .js files.
=================
#!/bin/bash
for fl in $(grep -rl 'document.write..<iframe src="http://.*<.iframe>..' .); do
sed -i 's/document.write(.<iframe src="http:\/\/.*<\/iframe>.)/ /g' $fl
echo "Fixed " $fl
done
=================
take care of permissions after the cleanup to stop future infections.

cheers
J

Tx a stack jaspujari for posting the script.
I have run it on one of my websites but it just shows a string of question marks ??? across the screen in the top row.

May be I'm stupid as I'm not an expert but how do you use it?

I have copied the code to wordpad and saved it us cleanframe.php then I have uploaded it to the root of my joomlasite and execute it by http://myjoomlasite.com/cleanframe.php
Is that the correct way to use your code?

Thanks again

Cheerio


Return to “Security - 1.0.x”

Who is online

Users browsing this forum: No registered users and 8 guests