HTML:Iframe-inf removal Instruction   February 8th, 2010

If your blog has been infected by the HTML:Iframe-inf  infection according to avast here are two scripts that can help you.

First What is the HTML:Iframe infection? – Its just a line of text that is inserted at the end of every index.php and/or index.htm in your website. Nothing to freak out about but you want to fix it. And Its probably due to wordpress not being secure.

Anyways, here is what you do : This is something you run on the commmand line – See the video below for an idea.

You will need to find infected files first.

find / -type f | xargs grep -l '<iframe'  2>/dev/null

or you could print out a list of files possibly comprimised. 

by typing 

find / -type f | xargs grep -l '<iframe'  2>/dev/null >infectedFileslist.txt

The first step is figuring out what is going on with your virus infection.

If you know the time frame of when the virus ran then you could narrow the list of infected files even more by tweaking the find command.

Lets say you know it infected your website about 5 days ago.

Then you would modify the find command to search all files modified less than 10 days ago.

find / -type f -mtime -10 | xargs grep -l '<iframe'  2>/dev/null >infectedFileslist.txt

More info on the find command here

http://content.hccfl.edu/pollock/Unix/FindCmd.htm 
my short version
find . -mtime +5 -mtime -10 # find files modifed between 5 and 10 days ago

Ok so now you have a list of infected files ...
This is VERY HELPFUL as you are halfway there to cleaning up your server.

Remove infected text till here source

to find all infected files use this php script, upload it to your root domain and name it clean.

http://www.yourname.com/clean.php?c=iframe

This script will show you all files containing the iframe tag, but to remember it is an html tag and is used mostly in webpages.

My site has been injected with these tags.

The above first one was injected into PHP while the second to htm and html.

I also used this script to remove it from each and every webpages extensions.

I used these commands

  1. find . -name ‘*.php’ | xargs perl -pi -e ‘s/echo “<iframe.*<\/iframe>”;//g’
  2. find . -name ‘*.htm’ | xargs perl -pi -e ‘s/<iframe.*<\/iframe>//g’
  3. find . -name ‘*.html’ | xargs perl -pi -e ‘s/<iframe.*<\/iframe>//g’
  4. find . -name ‘*.css’ | xargs perl -pi -e ‘s/<iframe.*<\/iframe>//g’
  5. find . -name ‘*.js’ | xargs perl -pi -e ‘s/<iframe.*<\/iframe>//g’

After running it check ur webpages one by one and teh virus tags would be removed.

Thanks to SWK and AUK.

Tags: , , ,
Posted in php, web development | 2 Comments »