HTML:Iframe-inf wordpress Infection

If your blog has been infected by the HTML:Iframe-inf  infection according to avast here are two scripts that can help you.

First What is the HTML:Iframe infection? – Its just a line of text that is inserted at the end of every index.php and/or index.htm in your website. Nothing to freak out about but you want to fix it. And Its probably due to wordpress not being secure.

Anyways, here is what you do : This is something you run on the commmand line.

You will need to find infected files first.

find / -type f | xargs grep -l '<iframe'  2>/dev/null

or you could print out a list of files possibly comprimised. 

by typing 

find / -type f | xargs grep -l '<iframe'  2>/dev/null >infectedFileslist.txt

The first step is figuring out what is going on with your virus infection.

If you know the time frame of when the virus ran then you could narrow the list of infected files even more by tweaking the find command.

Lets say you know it infected your website about 5 days ago.

Then you would modify the find command to search all files modified less than 10 days ago.

find / -type f -mtime -10 | xargs grep -l '<iframe'  2>/dev/null >infectedFileslist.txt

Remove infected text

find / -type f -mtime -10 | xargs grep -l ‘<iframe’| xargs perl -pi -e ‘s/^.*\<iframe.*$/ /g’

Here is an explanation of what the script does line by line so you can adjust per your situation.

find / -type f -mtime -10 – looks all files that were modified in the last 10 days ( you adjust as needed)

xargs grep -l ‘<iframe’ – of that list of files modified recently look for a line that says <iframe

xargs perl -pi -e ‘s/^.*\<iframe.*$/ /g’ – search and replace that line with a blank space You can modify the script line by line to

Domreg: Downtime for maintenance

We have scheduled a downtime on account of emergency hardware upgradation. In order to minimize the impact faced by you, we will be carrying out this activity over the weekend.

Date: Sunday, May 17th, 2009
Start Time: 11:30 WIB
Estimated Duration: 1 hour

During this maintenance the domain control panel will cease to function. We apologize for any inconvenience caused by this.

Please feel free to contact us for any further queries regarding this scheduled maintenance.

Thank you

Posted in News. No Comments »

Membersihkan file index.html dan index.php dari injeksi iframe

Banyak sekali penyebab terjadinya injeksi iframe. Yang paling umum adalah penggunaan password FTP yang mudah ditebak! Satu lagi adalah adanya celah/bug pada software yang anda install di akun anda. Misalnya, jika anda memiliki versi lama WordPress atau Joomla, seseorang akan memanfaatkan celah/bug yang ada untuk menginjeksi iframe pada file-file yang ada. Jadi pastikan membuat password FTP yang tidak mudah ditebak dan sering-sering mengupdate software yang anda install.
Bila akun anda sudah terlanjur terinjeksi iframe maka gunakan command berikut untuk membersihkannya dari file-file anda. Kami memberikan contoh hanya pada file index.html atau index.php. Anda bisa memodifikasinya sesuai kebutuhan. Pastikan anda telah membackupnya terlebih dahulu sebelum menjalankan command tsb.

cd /home/username/public_html && find ./ \( -iname ‘index.html’ -o -iname ‘index.php’ \)|while read file; do sed -i ’s/<iframe.*<\/iframe>//g;’ ${file}; done &

Semoga membantu.