1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

IFrame code injection by Virus/Trojan, Whats the solution? Here is Answer

Discussion in 'PHP' started by webcycloneindia, Oct 2, 2009.

  1. #1
    IFrame code injection by Virus/Trojan, Whats the solution? 
    Whats the problem ?

    Thousands of websites are being attacked on daily basis. Malicious code is being injected in PHP, Javascript and HTML scripts. Website users are downloading malicious code and infecting others.
    Who is compromised?
    Your computer is compromised, don't blame you hosting company for this.
    How does it work ?
    When you open a website (most probably in IE) which is infected with malicious code, your browser downloads malicious code (which is a trojan/spyware) from the URL specified in the iframe tag ( some times your browser also opens Acrobat Reader). Most of the anti-viruses don't detect this trojan, some only give a warning but don't block it. So when your computer is infected, a trojan residing in your computer steals your ftp passwords when you type them in your ftp program. Using these ftp accounts, the trojan scans all the directories on your ftp server and find files having any of following words in their name
    main
    default
    index
    home
    The trojan then injects malicious code into these files and also infects the users visiting your website.
    Are you also infected?
    To check to see if your computer is infected. You can download HijackThis the free utility from TrensSecure's website.
    SEMrush
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

    HijackThis is a utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan.
    After you have downloaded and performed a scan, locate the highligted entry shown in the image below

    [​IMG]

    There could be other suspecious entries indicated by HijackThis, but the above entry is sure shot trojan which is infecting you websites.
    How to remove this trojan?
    Fix all the suspecious entries indicated by HijackThis. If you find an entry ending with AcroIEHelper.dll then you computer is definitly infected with the trojan. Fix this with HijackThis and also remmove AcroIEHelper.dll from your computer. This file will be located in the Acrobat Reader directory. After deleting this file restart your computer and again scan with HijackThis, if you again find this entry and you are unable to remove it. Then you should install a fresh copy of Windows. 

    [​IMG]


    After cleaning your computer change your ftp passwords and use the following PHP script to find infected files on your server. The script recursivly scans all the directories and finds malicious code inside PHP, HTML and Javascript files. Upload this script to the root directory of your server and simply run from the browser. 
    virus-detect.php.txt (rename is to php before uploading it to your server)

    Click here to know more
     
    webcycloneindia, Oct 2, 2009 IP
    SEMrush
  2. AsHinE

    AsHinE Active Member

    Messages:
    240
    Likes Received:
    8
    Best Answers:
    1
    Trophy Points:
    88
    #2
    I have this file in the same location. Just uploaded it to VirusTotal. Its virusfree.

    AcroIEHelper.dll is just an acrobat extention to IE.
    HijackThis just lists all modules that are integrated in your sustem. Not all of them are viruses. But some of them can be.
     
    AsHinE, Oct 2, 2009 IP
  3. premiumscripts

    premiumscripts Peon

    Messages:
    1,062
    Likes Received:
    46
    Best Answers:
    0
    Trophy Points:
    0
    #3
    There are hundreds of possible reasons for iframe injection, you do not have "the" solution, you have 1 possible solution for a small percentage of the users.

    Most of the times it's probably because of out of date scripts being used that are easily exploited via a web attack.
     
    premiumscripts, Oct 2, 2009 IP