1px iFrame randomly found in code on site.. anyone else experience this?
 

Hey guys

Found a 1px iframe with the following URL as the src randomly in the index file of one of our sites.. and code I'd put there earlier missing:

http://xzas.sytes.net/i/index.php

Anyone else experience this?

IIRC someone posted about that the other day. Sorry, can't remember who or what thread though.

Edit: and provided a code that apparently checks other pages for the same problem.

I think SZYN posted about it.

Thanks. I'll search for the thread.

Can't find anything by him, unless I suck at searching. :helpme

It was SZNY, here's the thread: https://gfy.com/showthread.php?t=1052856

I get "threat detected" in that thread with avast and MS security essentials.

unable to open that thread. anyone else?

How do you update your sites? I remember a virus of some kind being reporting in an FTP program that would add a little extra to every html or htm page on a site.

Problems viewing, or warnings about, the thread may be due to the "anti-malware" code on the page triggering anti-virus.

via FileZilla

Filezilla FTP client used to be vulnerable and was exploited heavily by hackers some years back. Possibly this you`re thinking of?

Oh great. :mad:

It is because of the php he has embedded in the tread... No worries

i frame embeds a problem for a while now-
this might help-
http://mycodings.blogspot.com/2009/0...from-your.html
How to Remove Iframe virus?
Iframe tags will be written just below the body tag. Follow the steps to remove virus.
1. Login to your FTP & edit the file which you've got iframe tag.

2. Look for the iframe tag just below the Body or Head tag.

3. Remove the coding & overwrite the file.

4. Now right click the file and click properties/File attributes and make it to "444". So that no hackers have privilege to write the file with iframe code.

5. Once you've cleaned this, the other type of virus will slowly raise, that is it will search the files that are included on the index.php file (ie dbconnect.php, general.php, configure.php, common.php, functions.php, classes.php etc) and it will write a php coding at the top of the page where it will dynamically write the javascript code at the time of execution of the file in the web - browser. The script will redirect the page to gumblar.cn/rss?id=2

6. To remove these type of error carefully look into the above mentioned filename, you can easily find out the php coding at the top of the page. Just remove the coding and make sure it is write protected, so that the php coding wont be written.

1. Copy/paste the php code and save the file as php
2. Upload it to the root of your site
3. and run it like www.yourdomain.dom/filename.php

http://blog.insidecomp.com/?p=33#more-33
http://forum.nexoneu.com/NXEU.aspx?g=posts&m=3143118 (some background info)

Hope it helps :thumbsup

Thanks guys. Our host tackled the issue pretty quickly.

I'll bump this in a day or so just in case anyone else gets it.

it's a "great" way to include toplists on your site to get invisible hits

Bump for others :thumbsup

you running arrow scripts?

No I am not.

A popular tube script on this particular site. Haven't seen it on any others yet.

seems like you got hacked. same shit happen to me...

best bet is to format your server

i cant afford an iframe... :(

Yep I got that too. It's either an exploit at your host (I called GoDaddy support and told them about it - they cleaned it up in a minute and then told me to change wordpress passwords regularly; though it's been said GoDaddy had been having this problem on their end) or something on your local machine that uses a weakness in FTP clients to write itself in hashed form into your templates or files when you do an upload.

Apparently, after a clean up and regular password changes, it doesn't re-occur - which is what happened in my case...

Sure doesn't have to happen

It was FTP.

My A/V finally caught onto it just now and went nutso. :pimp