I have been using the gopetition website for a few weeks now, but yesterday when I opened up the page, I got a pop up on the bottom of my screen warning me it contained a sample of HTML:Iframe-inf. I have no idea what it is or why, is it a genuine threat? I then am given the option to abort the connection and delete or repair a file in my web browsers temporary folder. Can anyone give me any information or advice on this problem? Thanks
Abort the connection in the web shield alert, you should also get an option to send to the chest in the standard shield in not delete the file in the temp internet folder.
The Web Shield has been very hot on this active threat, where sites are hacked and code inserted. This code then attempts to run code from another site using the inserted iframe tag.
I assume this is the gopetition.com site (it is also on the gopetition.co.uk site), I have visited it and there is a 0x0 (size width/hight) iframe inserted between some closing HTML tags (see image) and this apart from being slapdash and against general standards. Also because of the attempt to hid it (0x0) is suspicious, also using an IP address rather than a domains name is also suspect and this IP is for a domain hosted in Latvia .
Yes, that’s the site. I was wondering because I had been using it for some time with no problems. Thanks for your reply, I have aborted the connection and yes there’s an option to move to chest. I’m not really clued up on these things, thanks.
You’re welcome.
If you know the site owner/webmaster (contact us, etc.) you could try and inform them it looks like theire site/s have been hacked.
I sent them an email when I first got the warning to explain what had happened.
They were/are probably unaware of it as avast is one of only a few that are likely to even look for this much less detect it.
Well I just attempted to visit again and this time there was no warning from avast, does this mean it’s safe to use now?
It means that they may have cleaned house, perhaps your email and others sparked them into action.
The iframe tag is no longer there, which pretty much confirms the avast detection.
Oh that’s great, it’s quite widely used, so I’d imagine they got a fair amount of mail about it. Thanks so much again for your help. Much appreciated
No problem, glad I could help.
Welcome to the forums.
Just for information:
Avast detected the iframe-inf on my site and when checking up on this I found that the following line had been added to all “index.php” files:
Checking my log-files, I saw that this had been done during two days, June 2nd and June 5th from the IP-address: 213.182.197.229, which belongs to ISP “REAL_HOST_NET” in Riga, Latvia.
Welcome to the forums, gols.
Please change http to hxxp in order to disable the live link.
I have had the same problem on one of my websites. I have removed the Iframe coding 3 times now. Google had blocked the site after the last time I removed everything, and had just released it, only for me to discover that they are back again. I have gone into all the index.html and the index.php and deleted what I found, but am still infected and can’t find the rest. It is in my Wordpress blog somewhere.
I am not a techie or coder at all, so when you say to:
Please change http to hxxp in order to disable the live link.
Would you mind explaining this further? How do I go about changing this and still have the pages work?
Thanks for your help.
Simply removing the code isn’t going to work if the underlying vulnerability isn’t also closed.
- This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.I suggest the following clean up procedure for both your accounts:
check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.Check all .htaccess files, as hackers like to load re-directs into them.
Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.
Hi gols,
Break that link and make it non-click-able (htxp or wXw) because this site hosted malcode, e.g.:
Malicious software includes 201 scripting exploit(s), 9 exploit(s), 3 trojan(s).
This site was hosted on 2 network(s) including AS44042 (ROOT), AS6849 (UKRTELNET).
The massive attack of web sites was detected in early March.
An unexpected redirection from several sites to some unknown sites were detected in the first week of March. After server check, an html-code line attached to the end of index.htm was found. The redirection to “hxtp://livelnternet.net/s/in.cgi?3” was set as an nondisplayed IFRAME.
The similar fact was found on different sites which do not have any interlinks.
The livelnternet.net domain has been created on February 2, 2009 linked to EVERYDNS.NET DNS service,
polonus
Hi KonaGirl
Would you mind explaining this further? How do I go about changing this and still have the pages work?Thanks for your help.
CharleyO is referring to post from gols, as with Polonus immediately above.
I have changed gols text to show what they mean (below) –
Avast detected the iframe-inf on my site and when checking up on this I found that the following line had been added to all "index.php" files:
When you post a link in the forums, which points at a suspect site if you don’t modify the URL then it is active like the first one below, this allows for accidental clicking and exposure to malware.
The second URL below has had the URL modified, changing the http part to hXXp, note that it doesn’t appear as a normal link and isn’t clickable. This stops accidental exposure and a human who would investigate this would know to change the XX back to tt.
- http://www.stopbadware.org/home/security
- hXXp://www.stopbadware.org/home/security