There are definitely a lot of embedded IFRAME attacks going on at the moment! If you’ve been caught out and got this code onto your website(s) (see my previous post outlining Filezilla ftp connection user name and password vulnerabilities) then it might be difficult for you to find every last file infected by this malware on your website.

Of course the first thing to do after removing the malware from your PC, changing your ftp passwords and swapping to a different ftp client (?!) is to re-upload all your files to your website. But uploading a whole backup copy of your website is always nerve-wracking: there is always the uncertainty that you HAVE made some minor update that you forgot to back up.

Instead you can scan the website for files containing iframes and intelligently delete those iframes or re-upload just those files affected. By scanning your website for embedded iframe virus affected files after you’ve completed the cleanup you can also assure yourself that you have now got a clean site!

So here’s a script we adapted from some previous work that should help you scan your website for embedded iframe virus affected files. Its written in PHP and you’ll possibly need to edit it to set it up just the way you want it, but it should be self explanatory – I hope.

  • Unzip it and then copy it to your website document root.
  • Visit the address you uploaded it to, e.g.

It will then show all the files it has checked and highlight any files in which it has found the signature ‘iframe’ within. Note that this might find spurious files as you might have a blog that mentions iframes. You could change the detection signature to <iframe but what if the malware has injected < iframe or < iframe – hence why we just check for iframe: better safe than sorry!

To eliminate spurious files the script will ignore files over a certain size and of certain types (both can be updated in the header of the file). It will also ignore files before a certain date, so if you know the website caught the iframe injection attack on 10/8/2009 then you can set it to ignore files before 1/8/2009, thus when you scan your website for injected iframes it’ll false trigger less.

There are a couple of url parameters that you might find useful; you can use the following forms:

  • detect-signature.php?detect_errors_only
    This will look for any iframes and just display an OK or not OK result.
  • detect-signature.php?detect_errors_only
    This will look for any iframes and display every file it finds one in.

We hpoe that’s of use to you, if it is then do link to this article – it helps our SEO a little and it might help other people!

UPDATE: Latest news seems to say that there is a huge increase in attacks from FaceBook apps in the first 6 months of this year – take care out there!