fields marshall

Website Optimization and Consulting

  • Home
  • Services
  • Contact
You are here: Home / techtips / HTML:Iframe-inf wordpress Infection

HTML:Iframe-inf wordpress Infection

March 2, 2009 by fields.marshall

If your blog has been infected by the HTML:Iframe-inf  infection according to avast here are two scripts that can help you.

First What is the HTML:Iframe infection? – Its just a line of text that is inserted at the end of every index.php and/or index.htm in your website. Nothing to freak out about but you want to fix it. And Its probably due to wordpress not being secure.

Anyways, here is what you do : This is something you run on the commmand line – See the video below for an idea.

You will need to find infected files first.

find / -type f | xargs grep -l '<iframe'  2>/dev/null

or you could print out a list of files possibly comprimised. 

by typing 

find / -type f | xargs grep -l '<iframe'  2>/dev/null >infectedFileslist.txt

The first step is figuring out what is going on with your virus infection.

If you know the time frame of when the virus ran then you could narrow the list of infected files even more by tweaking the find command.

Lets say you know it infected your website about 5 days ago.

Then you would modify the find command to search all files modified less than 10 days ago.

find / -type f -mtime -10 | xargs grep -l '<iframe'  2>/dev/null >infectedFileslist.txt

More info on the find command here

http://content.hccfl.edu/pollock/Unix/FindCmd.htm 
my short version
find . -mtime +5 -mtime -10 # find files modifed between 5 and 10 days ago

Ok so now you have a list of infected files ... This is VERY HELPFUL as you are halfway there to cleaning up your server.

Remove infected text

find / -type f -mtime -10 | xargs grep -l '<iframe'| xargs perl -pi -e 's/^.*\<iframe.*$/ /g'

Here is an explanation of what the script does line by line so you can adjust per your situation.

find / -type f -mtime -10  - looks all files that were modified in the last 10 days ( you adjust as needed)
xargs grep -l '<iframe' - of  that list of files modified recently look for a line that says <iframe
xargs perl -pi -e 's/^.*\<iframe.*$/ /g'   - search and replace that line with a blank space

Understanding this last line - perl -pi -e is important -- http://www.linux.org/lessons/short/perlpie/perl_pie.html  

You want to be sure that you know whats going on there because this is where the search and the replace happens -

Check out this article -- http://www.linux.org/lessons/short/perlpie/perl_pie.html  

You can modify the script line by line to

Here is a video explaining this:[youtube]http://www.youtube.com/watch?v=HXzLgY2f01U[/youtube]

Leave me a comment if this helps you !

What you can do afterwards to prevent more virus attacks

  • Find a webhost that will help you restore instead of going through all this fixing
  • Secure your wordpress installation – google wp security wordpress plugin
  • Check out this plugin to monitor your system- http://mattwalters.net/projects/wordpress-file-monitor/
  • Remove unused themes
  • Update wordpress
  • Stop Badware – http://www.stopbadware.org/home/security
  • Update and remove unknown and unpopular plugins

 

Update April 12 , 2011.

The free version of Avast has been generating false positives with this HTML-inf infection.  I have just turned mine of for a few days and I hope they fix the problem. Traffic has spiked to this website for this term so its not just me !
On another note — if you do really have this infection – you will need to clean and secure your website — Maybe hire someone on scriptlance, rent a coder or elance might be your best bet as it can be technically intimidating.

Filed Under: techtips, webtips

Father to two kids, Web Designer and Programmer Living in Chile Read More…

Pages

  • About Me
  • Contact
  • Services
  • SiteMap

Recent Posts

  • Redirects for Affiliate Links
  • Split Testing Software
  • Installing Analytics on a Large Website
  • 8 Tips for Tracking With Google
  • All You Ever Need To Know About SEO

Blogroll

  • Chile Yoga Retreats — http://avaniyogaretreats.com/
  • Spiritual Retreats
  • Taxi Chiguayante Chile

Copyright © 2021 · Fields Marshall on Genesis Framework · WordPress · Log in