in Break-Fix

Get rid of those injected iframes in index.html and index.php files

In a perfect world, no one would need such a hack to clean up infected files. But as it is today, so much poorly-written software finds its way into people’s hands and Websites. All it takes is to fall behind by one minor release or sometimes a rare vulnerability to find yourself in hot water.

There are many ways one can end up with iframe-infected files. The most common reason is weak FTP / user passwords! If your password is too easy to guess or is weak, someone will definitely find it and use the password against to say upload modified public files with iframes in them. Another one is vulnerabilities in software you install on your Web server. For example, if you have an outdated version of WordPress or Joomla, someone somewhere will exploit it and find a way to upload iframes throughout your files. So be on top of your software updates and create long and secure passwords!

Here’s a way to safely clean up your index.php, index.html, default.php, and all iframe-infected files in your public_html folder. Before you run this code against any files, please make a backup of your folder(s). Also, this fix won’t prevent the attacker from injecting theĀ  iframes again unless you patch up the software / application and reset passwords.

So, if your index.html files are infected, simply run the following command against the directory that’s infected (but mostly public_html/):

# cd /home/username/public_html && find ./ \( -iname ‘index.html’ \)|while read file; do sed -i ‘s/<iframe.*<\/iframe>//g;’ ${file}; done &

If you need to patch up multiple file names at once, for example index.html and index.php, add them as such (-o -iname newfilename.ext):

# cd /home/username/public_html && find ./ \( -iname ‘index.html’ -o -iname ‘index.php’ \)|while read file; do sed -i ‘s/<iframe.*<\/iframe>//g;’ ${file}; done &

That’s all folks. I hope this helps someone somewhere. Feel free to post your comments or questions.

  1. Thanks man. One quick question, does that just search for the or does it actually remove it? Or could you further explain the code? Like does it look for stuff between iframe and /iframe? Does that include every piece of iframe code on your site?

  2. @Cursors
    It removes the iframe and all text in between (the -i flag stands for inline substitution). It can be dangerous because if your HTML codes makes use of iframes, it could end up deleting “innocent” iframes that are in your code (make a backup of the files/folder before running the code).

    For example, if you had this code in your HTML files, all of it will be removed:

    < iframe src=”frame” >frame#1< /iframe>< iframe src=”anotherframe’>frame#2< /iframe>

    One way to avoid removing the “innocent” iframes is to match specific ones. If your iframes have a more specific string to match, that’ll work. For example, let’s say that you found out that the injected iframes were something like this:

    < iframe src=”http://maliciousurl.tld”>frame< /iframe>

    Your sed code will look like:

    cd /home/username/public_html && find ./ \( -iname ‘index.html’ -o -iname ‘index.php’ \)|while read file; do sed -i ‘s/< iframe src=\”http:\/\/maliciousurl.*< \/iframe>//g;’ ${file}; done &

    If you don’t want sed to make changes to your files, replace the -i flag with -e. This will simply print out the file content so you can have a chance to see how it’d look like.


Comments are closed.