Comments on: Get rid of those injected iframes in index.html and index.php files http://blog.unixy.net/2009/04/get-rid-of-those-injected-iframes-in-indexhtml-and-indexphp-files/ Fully Managed Dedicated Servers Wed, 16 Mar 2011 08:26:00 +0000 hourly 1 http://wordpress.org/?v=3.3 By: UNIXy http://blog.unixy.net/2009/04/get-rid-of-those-injected-iframes-in-indexhtml-and-indexphp-files/comment-page-1/#comment-471 UNIXy Thu, 30 Apr 2009 05:14:51 +0000 http://blog.unixy.net/?p=9#comment-471 <a href="#comment-468" rel="nofollow">@Cursors</a> It removes the iframe and all text in between (the -i flag stands for inline substitution). It can be dangerous because if your HTML codes makes use of iframes, it could end up deleting "innocent" iframes that are in your code (make a backup of the files/folder before running the code). For example, if you had this code in your HTML files, all of it will be removed: <blockquote><strong><</strong>iframe src="frame" >frame#1<strong><</strong>/iframe><strong><</strong>iframe src="anotherframe'>frame#2<strong><</strong>/iframe></blockquote> One way to avoid removing the "innocent" iframes is to match specific ones. If your iframes have a more specific string to match, that'll work. For example, let's say that you found out that the injected iframes were something like this: <blockquote><strong><</strong>iframe src="http://maliciousurl.tld">frame<strong><</strong>/iframe></blockquote> Your sed code will look like: <blockquote> cd /home/username/public_html && find ./ \( -iname 'index.html' -o -iname 'index.php' \)|while read file; do sed -i 's/<strong><</strong>iframe src=\"http:\/\/maliciousurl.*<strong><</strong>\/iframe>//g;' ${file}; done &</blockquote> If you don't want sed to make changes to your files, replace the -i flag with -e. This will simply print out the file content so you can have a chance to see how it'd look like. Best @Cursors
It removes the iframe and all text in between (the -i flag stands for inline substitution). It can be dangerous because if your HTML codes makes use of iframes, it could end up deleting “innocent” iframes that are in your code (make a backup of the files/folder before running the code).

For example, if you had this code in your HTML files, all of it will be removed:

< iframe src=”frame” >frame#1< /iframe>< iframe src=”anotherframe’>frame#2< /iframe>

One way to avoid removing the “innocent” iframes is to match specific ones. If your iframes have a more specific string to match, that’ll work. For example, let’s say that you found out that the injected iframes were something like this:

< iframe src=”http://maliciousurl.tld”>frame< /iframe>

Your sed code will look like:

cd /home/username/public_html && find ./ \( -iname ‘index.html’ -o -iname ‘index.php’ \)|while read file; do sed -i ‘s/< iframe src=\”http:\/\/maliciousurl.*< \/iframe>//g;’ ${file}; done &

If you don’t want sed to make changes to your files, replace the -i flag with -e. This will simply print out the file content so you can have a chance to see how it’d look like.

Best

]]> By: Cursors http://blog.unixy.net/2009/04/get-rid-of-those-injected-iframes-in-indexhtml-and-indexphp-files/comment-page-1/#comment-468 Cursors Wed, 29 Apr 2009 22:19:08 +0000 http://blog.unixy.net/?p=9#comment-468 Thanks man. One quick question, does that just search for the or does it actually remove it? Or could you further explain the code? Like does it look for stuff between iframe and /iframe? Does that include every piece of iframe code on your site? Thanks man. One quick question, does that just search for the or does it actually remove it? Or could you further explain the code? Like does it look for stuff between iframe and /iframe? Does that include every piece of iframe code on your site?

]]>