How to remove IFrame Trojan?
Apr 14, 2009 Internet, Wordpress, security Tags: Iframe trojan, malware removal techniques, malwares, open source, trojans, wordpress infection 16,417 views | Posted By: NeeT
Digg('  )
|
Tweet |
|
Stumble |
Share |
Open source means choice and freedom for those users who have the skills to download and install softwares but is also prone to attacks because of its unsecure nature. PHP and WordPress are also open source and no doubt a great resource for web developers, but they are attractive to attackers as well.
Being a blogger I myself have been using WordPress as a platform for my different blogs and so far I was not facing any problem. But a few days back some of my blogs got infected by a malware called IFrame. And the funny part was that I was not even aware of the infection and I still don’t know how did somebody got this peice of code injected into my blog. One of my IM friend informed me that his antivirus just stopped him to view a page on my blog. He send me the screenshot.
I was shocked to realize that my antivirus was updated as well with the latest virus definition files, but it didn’t caution me any time. I had BitDefender installed which of course I have changed with AVAST now, and I must say that its been a great tool as its High performance antivirus engine, Anti-spyware & anti-rootkit tool, Resident shield and self-protection, Enhanced user interface and Daily automatic updates let me know of the malicious scripts on different websites I browse earlier with no knowledge.
This IFrame malware can infect any PHP file in theory because it is just a piece of code that has to be injected in the file, but provided that you are using WordPress on your blog, most likely the files infected by it are
index.php in root folder
wp-config.php in root folder
index.php in wp-admin folder
index.php in wp-contents\yourtheme\ folder
default-filters.php in wp-includes folder
What it does that it inserts a piece of code at the end of each of the above mentioned file right after the ending ?> PHP tag as shown below in the picture.
Sometimes it is also found within the php code injected using echo command.
Here are some issues that you are most likely to face if your site is infected by Iframe malware.
1. You will not be able to login to your wp-admin, rather it will show you that there is some error in default-filters.php file.
2. If you browse your site and you do not have any good anti malware or script blocking software then you will probably see that the layout of your site has become like a jigsaw. Page elements could have been moved to different random locations.
3. The height of some elements on sidebar might have been modified.
4. Your site just do not open, instead it will show a php error message.
Removal of IFrame Malware
Removing that IFrame malware was not easy by any means. I searched over internet and many things were tried. I found another good article regarding IFrame removal written by Fields Marshall. But everything went in vain, everytime I remove that IFrame tag and upload the modified file, it gets inserted after a while. Now I will list the steps which I did and finally got rid of that malware, incase your site is infected by IFrame malware, you follow the same steps and I hope that eventually you will get rid of it as well.
1. Make sure that you have AVAST installed on your system with the latest virus database files.
2. Scan your PC for infections.
3. Change your ftp account password and also the cpanel password.
4. Upload and overwrite a fresh copy of all wordpress files after making necessary changes in wp-config.php file.
5. Download and install TextCrawler, a free utility to find required text in files on your hard drive. Its a freeware and very easy to use. Text Crawler is a fantastic tool for anyone who works with text files. It enables you to instantly find and replace words and phrases across multiple files and folders. It utilises a powerful Regular Expression engine to enable you to create sophisticated searches, perform batch operations, extract text from files and more. It is fast and easy to use, moreover TextCrawler is Freeware!.
6. You might have all files of your theme on your hard drive, if not, then download all files of the theme and search within those files for an iframe tag using Text Crawler. If you find any file containg the iframe tag then remove those lines which resembles like the ones discussed above.
7. Similarly download all plugin files that you are using at the moment and scan them for an iframe tag, if found then just remove those lines.
8. Remove all unwanted themes and plugins that you are not using. Do not use poor themes or less popular plugins. People are spreading free themes and plugins for purpose.
9. After making sure that all your theme files and plugin files are clean upload them.
10. Browse to your site and wait for any AVAST warning to appear, if done exactly as described, chances are that you will not face any trouble again.
11. Enjoy and if you found this article helpful, please consider linking to it or sharing it with someone else.
12. All comments and suggestions are appreciated.
April 14th, 2009 at 8:59 pm
Sorry you had trouble with my fix. I updated it. to be a little more clear now but yes it seems the infection will keep happening unless you clean up website themes, plugins, etc
April 18th, 2009 at 4:28 pm
Yes marshall, the infection just keeps coming back, by the way your article helped me lot getting the idea.
May 15th, 2009 at 3:14 am
Hi, I read your blog now and then, because I run my own site like your blog. and I was wondering.. Do you get tons of spam? How do you contorl it?
May 19th, 2009 at 1:19 am
Marshall,
Your article is very beneficial. However, when I tried to ascertain the source of my problem, I came up dry. After a considerable amount of time downloading,’crawling’ through text, re-applying WordPress, and removing themes and plugins, I finally decided to look into the actual WordPress posts stored in MySQL. Sure enough, that is where I found several posts had been hacked and included tags.
I normally run Avast and that is what first alerted me to a problem. After cleaning out the references form the database, the site now comes up and Avast is happy!
May 19th, 2009 at 1:35 am
Found out the data stored in MySQL was hacked to include the iframe references. A real bugger, that one!
May 24th, 2009 at 5:41 pm
Hey Yagnaroopaya, sorry for late replying, but now I am back on it. Yeah I get lots of spam comments on my blog, but if you are using WordPress like me then the default Akismet plugin which comes with it will do good for you. Did you try it ?
May 29th, 2009 at 8:13 pm
Good post. I enjoyed reading your blog. I’ve added you to my bookmarks and will be back soon.
June 4th, 2009 at 5:18 am
Very interesting post… Would like to use some of this on my blog. Is that ok or not?
June 4th, 2009 at 1:48 pm
Отправила первый пост, а он не опубликовался. Пишу второй. Это я, туристка африканских стран
June 4th, 2009 at 4:43 pm
I really liked this post. Can I copy it to my site? Thank you in advance.
June 4th, 2009 at 5:19 pm
Hey Andrew, Yes you can take whatever stuff you want to provided that you will mention my blog there.
Thanks.
June 5th, 2009 at 6:33 am
I’ve learned a lot from this site – I hope you continue writing because I love your stuff!
July 12th, 2009 at 11:07 pm
[...] para limpeza usadas neste tutorial: How to remove IFrame Trojan? HTML:Iframe-inf wordpress Infection iFrame Hack on Several WP Sites AntiVirus protection for your [...]
July 18th, 2009 at 9:40 pm
[...] How to remove IFrame Trojan? Frame Hack WP on Several Sites Using Combofix to guide and tutorial HTML: iframe wordpress-inf Infection [...]
November 16th, 2009 at 6:34 am
[...] <http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/> and <http://www.techyshell.com/internet/how-to-remove-iframe-trojan/>. Read them first (but do *nothing* – just take it in) then come back. It’s O.K., [...]
December 15th, 2009 at 12:32 pm
Thanks a Lot for this information…..
Thank you….again…
January 13th, 2010 at 12:36 pm
First Step : change FTP password
Step 2 : Download all files and clean
Step3 : upload Files
Remeber Do not save FTP password in your FTP client
If you suspects that your system is infected, Format and install OS, then install a good antivirus + firewall. I suggest Avast free edition and Comodo Firewall.
We have received many inquiries and we cleaned those infected sites. If your site is infected Please contact us
Best Regards
February 10th, 2010 at 8:11 pm
Try our plugin for iframe badware removal for wordpress blogs
April 1st, 2010 at 3:26 am
Thanks for this thread guys. I experienced the same problem today and managed to fix it relatively quickly for this website hoteleconomici-oneclick.it/(you can see it is working!)
1) Backup everything
2) Scan the copy of your website downloaded on your local machine using Avast. This will allow you to identify the infected files
3) Copy a new installation of wordpress following the manual update instructions (here: http://codex.wordpress.org/Updating_WordPress)
4) Clean manually the files which are not replaces in the update.
It should work. Good luck!
April 10th, 2010 at 10:50 am
Reply :
Because this Iframe trojan should have injected some lines of code in many files of wordpress including wp-config, so it is obvious that you have to replace all files, and when you have to replace wp-config then of course you would like to input your mysql database name, username and password into fresh wp-config.php before uploading it. Hope that helps.
April 24th, 2010 at 5:53 am
I would like to thank you so much really you let me solve a big problem really Knowledge is a power
June 3rd, 2010 at 3:01 pm
Good job. I agree with you.