Tuesday, December 29, 2009

IFrame code injection by Virus/Trojan, Whats the solution?

SkyHi @ Tuesday, December 29, 2009
If you website is attacked and you see malicious code being injected into the script. This article will help you find and get rid of this trojan/spyware
IFrame code injection by Virus/Trojan, Whats the solution? (Page 1 of 1)

Whats the problem ?

Thousands of websites are being attacked on daily basis. Malicious code is being injected in PHP, Javascript and HTML scripts. Website users are downloading malicious code and infecting others.

Who is compromised?

Your computer is compromised, don't blame you hosting company for this.

How does it work ?

When you open a website (most probably in IE) which is infected with malicious code, your browser downloads malicious code (which is a trojan/spyware) from the URL specified in the iframe tag ( some times your browser also opens Acrobat Reader). Most of the anti-viruses don't detect this trojan, some only give a warning but don't block it. So when your computer is infected, a trojan residing in your computer steals your ftp passwords when you type them in your ftp program. Using these ftp accounts, the trojan scans all the directories on your ftp server and find files having any of following words in their name
  • main
  • default
  • index
  • home
The trojan then injects malicious code into these files and also infects the users visiting your website.

Are you also infected?

To check to see if your computer is infected. You can download HijackThis the free utility from TrensSecure's website. http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

HijackThis is a utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan.

After you have downloaded and performed a scan, locate the highligted entry shown in the image below

Click Here for full preview image

There could be other suspecious entries indicated by HijackThis, but the above entry is sure shot trojan which is infecting you websites.

How to remove this trojan?

Fix all the suspecious entries indicated by HijackThis. If you find an entry ending with AcroIEHelper.dll then you computer is definitly infected with the trojan. Fix this with HijackThis and also remmove AcroIEHelper.dll from your computer. This file will be located in the Acrobat Reader directory. After deleting this file restart your computer and again scan with HijackThis, if you again find this entry and you are unable to remove it. Then you should install a fresh copy of Windows.

After cleaning your computer change your ftp passwords and use the following PHP script to find infected files on your server. The script recursivly scans all the directories and finds malicious code inside PHP, HTML and Javascript files. Upload this script to the root directory of your server and simply run from the browser.
virus-detect.php.txt (rename is to php before uploading it to your server)

Reference: http://www.qualitycodes.com/tutorial.php?articleid=29