fields marshall

HTML:Iframe-inf wordpress Infection

March 2, 2009 · Filed under techtips, webtips

If your blog has been infected by the HTML:Iframe-inf  infection according to avast here are two scripts that can help you.

First What is the HTML:Iframe infection? – Its just a line of text that is inserted at the end of every index.php and/or index.htm in your website. Nothing to freak out about but you want to fix it. And Its probably due to wordpress not being secure.

Anyways, here is what you do : This is something you run on the commmand line – See the video below for an idea.

You will need to find infected files first.

find / -type f | xargs grep -l '<iframe'  2>/dev/null

or you could print out a list of files possibly comprimised. 

by typing 

find / -type f | xargs grep -l '<iframe'  2>/dev/null >infectedFileslist.txt

The first step is figuring out what is going on with your virus infection.

If you know the time frame of when the virus ran then you could narrow the list of infected files even more by tweaking the find command.

Lets say you know it infected your website about 5 days ago.

Then you would modify the find command to search all files modified less than 10 days ago.

find / -type f -mtime -10 | xargs grep -l '<iframe'  2>/dev/null >infectedFileslist.txt

More info on the find command here

http://content.hccfl.edu/pollock/Unix/FindCmd.htm 

my short version
find . -mtime +5 -mtime -10 # find files modifed between 5 and 10 days ago

Ok so now you have a list of infected files ... This is VERY HELPFUL as you are halfway there to cleaning up your server.

Remove infected text

find / -type f -mtime -10 | xargs grep -l '<iframe'| xargs perl -pi -e 's/^.*\<iframe.*$/ /g'

Here is an explanation of what the script does line by line so you can adjust per your situation.

find / -type f -mtime -10  - looks all files that were modified in the last 10 days ( you adjust as needed)
xargs grep -l '<iframe' - of  that list of files modified recently look for a line that says <iframe
xargs perl -pi -e 's/^.*\<iframe.*$/ /g'   - search and replace that line with a blank space

Understanding this last line - perl -pi -e is important -- http://www.linux.org/lessons/short/perlpie/perl_pie.html  

You want to be sure that you know whats going on there because this is where the search and the replace happens -

Check out this article -- http://www.linux.org/lessons/short/perlpie/perl_pie.html  

You can modify the script line by line to

Here is a video explaining this:[youtube]http://www.youtube.com/watch?v=HXzLgY2f01U[/youtube]

Leave me a comment if this helps you !

What you can do afterwards to prevent more virus attacks

• Find a webhost that will help you restore instead of going through all this fixing
• Secure your wordpress installation – google wp security wordpress plugin
• Check out this plugin to monitor your system- http://mattwalters.net/projects/wordpress-file-monitor/
  
• Remove unused themes
• Update wordpress
• Stop Badware – http://www.stopbadware.org/home/security
• Update and remove unknown and unpopular plugins

 

Update April 12 , 2011.

The free version of Avast has been generating false positives with this HTML-inf infection.  I have just turned mine of for a few days and I hope they fix the problem. Traffic has spiked to this website for this term so its not just me !
On another note — if you do really have this infection – you will need to clean and secure your website — Maybe hire someone on scriptlance, rent a coder or elance might be your best bet as it can be technically intimidating.

Share and Enjoy:

• 
• 
• 
• 
• 
• 
• 

Fields Marshall is a web developer and Google Adwords professional located in Pucon Chile. If you found this article helpful, please consider linking to it it or sharing it with someone else. Any comments ? Please leave them below.

Related Articles

• Installing Analytics on a Large Website
• 5 Simple Strategies To Quickly Backup WordPress Blogs
• Remove Domain Ads From The Google Content Network
• How To Count Inodes For Each Directory
• How to Automatically Login with Putty

28 Comments »

1. bigdiens Said,

   March 21, 2009 @ 6:06 am

   where shoul I type this command, in a new HTML or PHP file or …?

2. fields.marshall Said,

   March 21, 2009 @ 3:09 pm

   Bigdiens,

   I put a video up there explaining it as people seem to be searching for this info a lot. This is something you type on the command line. If you are on windows – Putty for example.

3. Bin Said,

   March 31, 2009 @ 2:51 pm

   fields marshall,

   Your script is useful !! But it erases the whole line. Because of that, it deletes the /html tag. I don’t if I’m right:

   I use the key phrase “google-stat”, since it’s part of the texts (iframe src=”hXXp: //google-stat. com /tomi/?t=2″> style=”display:none”>/iframe) in my infected files. I added some spaces in the url, so that nobody clicks it by mistake.

4. fields.marshall Said,

   April 9, 2009 @ 9:24 pm

   Yeah it does erase the whole line however when I looked at the source code the virus inserted a new line also so it didnt matter but somethign to be aware of

   Thanks for the comments

5. How to remove IFrame Trojan? | TechyShell.com Said,

   April 14, 2009 @ 9:53 pm

   [...] and many things were tried. I found another good article regarding IFrame removal written by Fields Marshall. But everything went in vain, everytime I remove that IFrame tag and upload the modified file, it [...]

6. fields.marshall Said,

   April 15, 2009 @ 1:51 am

   I have just updated this with new code .. So this should be more helpful. I see im getting lots of visits per this issue

7. Ww Said,

   April 21, 2009 @ 9:26 am

   For some reason, when I try using putty for my http://ftp.domainname.nl it gived an error. Any idea why? I’m no good at this

8. fields.marshall Said,

   April 21, 2009 @ 4:57 pm

   Hi WW,

   You will need to contact your webhost on to access your website with SSH. Almost all webhosts allow you to do this and they should be able to give you instructions. I hope that helps you.

9. TechyShell.com » Blog Archive » How to remove IFrame Trojan? Said,

   April 29, 2009 @ 5:01 am

   [...] and many things were tried. I found another good article regarding IFrame removal written by Fields Marshall. But everything went in vain, everytime I remove that IFrame tag and upload the modified file, it [...]

10. Geo Briegal Said,

    April 29, 2009 @ 5:11 pm

    Dear friends, someone is playing around… I find on my sites the same virus problem, so called “ifame-inf”. In fact, on everything start with index.html or index.php, in all site, the last script line was modified with something like “echo “”;. Don’t click on the link above!!!! Just delete this line and save your index.html (php). Good luck!

11. Geo Briegal Said,

    April 29, 2009 @ 5:14 pm

    …well… it seems i can’t post the content of the line… Anyway, it contain “xtrarobotz.com”

12. fields.marshall Said,

    April 30, 2009 @ 1:14 pm

    Geo,
    Sorry that happened. Somehow your website got infected with that virus. It could be your local computer that got affected or maybe your website runs an old version of wordpress or your plugins are not updated. The xtrarobtoz.com name doesn’t really matter, its different on each virus.

13. Fireisland.no angrepet? - Webforumet.no - Webmaster forum Said,

    May 3, 2009 @ 5:56 pm

    [...] HTML:Iframe-inf wordpress Infection | fields marshall… stress! Jaja, slik g?r det n?r ein ikkje tek bryet med ? dobbelsjekke at open source CMS er sikra.. [...]

14. Cheval de troie JS:Packed-T [trj] et malware ‘HTML/Iframe-inf’ | WordPress tuto Said,

    May 3, 2009 @ 9:19 pm

    [...] Field Marshall il s’agit simplement d’une ligne de texte qui s’est introduite à la fin des [...]

15. GranPaSmurf Said,

    May 5, 2009 @ 12:45 pm

    Thanks for the explanation & suggestions. I do not have WordPress; we have no idea where the infection came from.
    Dreamhosters support has been very helpful. Thankfully we caught it before any of our clients reported it to us!
    Now we three users are strictly SFTP, and folders, like an old Jabber experiment we never implemented, are purged.

16. fields.marshall Said,

    May 5, 2009 @ 2:10 pm

    Hi GrandPa Smurf,

    Yes, I have seen the infection on servers without wordpress. On shared hosting if the infection can get in with one website then it seems to be able to access other websites and spread to others.

    Glad the script was helpful

17. Victor Said,

    May 22, 2009 @ 1:50 pm

    I think this is the simpliest solution to remove iframe-inf after you have found the infected text. Works 100%.

    find ./ -type f -exec sed -i ‘s///’ {} \;

    Just replace the iframe src addres with the one from your infected text. Use regex on click=.*. Run the command from /home directory to remove the virus from all website files.

    Good Luck!

18. Victor Said,

    May 22, 2009 @ 1:52 pm

    Sorry but i can’t add the full code because this doesn’t support url in comment.

    find ./ -type f -exec sed -i 's///' {} \;

19. Max Said,

    May 28, 2009 @ 5:10 am

    what’s a command line and how do you access it

20. fields.marshall Said,

    June 19, 2009 @ 5:08 pm

    Victor thanks for your comments..

    Email me your SED code and I will place it .. You think this is better than perl ?

    Max you would need to talk to your hosting provider to get command line access

21. ????? ???????? – ???? ????? iframe injections ??????? SSH | ?? ????? Said,

    June 21, 2009 @ 7:57 pm

    [...] ????? ????) ?????? ???? ???? ?? ????? ??? ????? ?? iframe, http://fieldsmarshall.com/htmliframe-inf-wordpress-infection/ ?? ?????? ????? ??????? ????? ??? [...]

22. HTML:Iframe-inf fun….not Said,

    July 2, 2009 @ 12:13 am

    [...] days ago, which helped me a treat, but also returns more files that are ok than the ones infected: here The shell scripts this guy has created, did help me track the bits i needed to remove which was a [...]

23. Como limpar o maldito vírus IFrame que infectou o seu blog na plataforma Wordpress – WP (vírus de blogs) | Rei da Cocada Preta Said,

    July 12, 2009 @ 5:08 pm

    [...] para limpeza usadas neste tutorial: How to remove IFrame Trojan? HTML:Iframe-inf wordpress Infection iFrame Hack on Several WP Sites AntiVirus protection for your blog Using Combofix a guide and [...]

24. 7 Steps to remove Iframe virus from your Wordpress blog | Techno360 Said,

    July 18, 2009 @ 3:41 pm

    [...] How to remove IFrame Trojan? Frame Hack WP on Several Sites Using Combofix to guide and tutorial HTML: iframe wordpress-inf Infection [...]

25. Malware - netzwelt.de Forum Said,

    August 7, 2009 @ 6:44 am

    [...] [...]

26. HFM Solutions Said,

    April 2, 2011 @ 8:12 am

    Where is the video ? Please help me to remove html:iframe-inf virus from my website…

    Thanks

    HFM Soltuions

27. Csurulya Laszlo Said,

    April 12, 2011 @ 7:06 am

    Unbelievable, but yesterday i got a lot of those ) on my pc, having an running and up to date Free AVAST. Right now i’m checking my server too. Beware of free Avast !!!

28. enrique Said,

    September 21, 2011 @ 7:24 pm

    it’s a great helpful thnk u very much!!!

RSS feed for comments on this post · TrackBack URI

Leave a Comment