Knowledgebase
Home » Item #1010
Iframe FTP hack - my site is listed in Google as a host of malware
Question
My site is listed in Google's results with the comment 'this site may harm your computer' and browsers also display a warning page when used to view my site.
What has happened to my site?
Answer
Prior to August 2009, we had seen some isolated cases of web sites being hacked to insert an 'iframe' linking to malware within them.
The way this seemed to work was that the default document on the root of the site (and perhaps in other folders) was rewritten to add an iframe which linked to a page on a site controlled by a hacker, on a .ru domain (though the domain is unlikely to indicate the true nationality of the hackers). When a user visits the site, they would be prompted to download some software (served to them through the remote malware site) which if downloaded could infect the site visitor's machine.
Google and the main browsers now pick up such infected sites and block them, to try to prevent other users from becoming infected. Often this is the first that you might know about your site being infected.
The following is some background we have gathered from our own personal experience and that of others who have posted their investigations online.
How does the infection occur?
Firstly, Googling reveals that this appears to be a widespread problem and not related to CactuShop or ASP (as many reports of Cold Fusion and static sites being hit). Similarly, it does not appear to be limited to particular web hosts - we've seen it on various ones. It does not seem to be a server exploit as users have reported sites on Linux/Apache being attacked in a similar way. The strongest suggestion appears to be that the client machine used to connect to the site is compromised. This would certainly explain why most sites on a server are unaffected, and why a 'cleaned' site can be quickly re-infected.
What we do know for certain is that the files are modified by FTP, so the critical issue is how the password is obtained.
We are almost certain it is not by brute force, since we would see such attempts in logs and it would probably take some time to rehack a cleaned site that has changed FTP passwords.
So the most likely explanation seems to be a compromise/exploit/infection on the machine you use to FTP to the web site.
How do I clean it all up?
The first step, assuming that the compromise is indeed client side, is to thoroughly disinfect your machine. The SpyWare Doctor from PC Tools has been recommended as effective in removing it. SpyBot Search & Destroy also seems effective and is free. If multiple machines access your web site using FTP, ensure all are swept clean. The hack can then be removed from the default.asp file on your site via FTP. Look for 'iframe' and you should find it easily. Make sure you also check other folders on your site (if any) that also have index or default documents. If we are hosting the site, we will change the FTP password.
What happens if my site gets re-infected again?
The same process should be followed, as it suggests the compromise on at least one computer connecting may not have been removed. We will at this point change the FTP password and can clean the files ourselves if the site is hosted by us. We will hold off on notifying you of the new password to see if this indeed does prevent reinfection. This would tend to indicate beyond doubt that the compromise is not on the server or in the software, but on one of your machines (discussion on forums seems to confirm this, but we still like to see things with our own eyes).
Removing your site from Google's security block and browser 'malware' blocks
You will need to sign up for Google's webmaster tools. You must prove you control your domain by doing Google's verification step (the simplest method is by placing the HTML file with the name they tell you on the root of your site). Once this is done, you will see the message that your site is listed for malware. Assuming you have cleaned the problem, you can then request a site review to remove it.
Further Reading
Iframe/JavaScript hacks on CPanel forum
Update: 8th September 2009
Further information suggests that flaws in Adobe Flash installed on client computers are responsible. Firefox is introducing a new measure to warn users if their Flash plugin is out of date, which lends credibility to the theory that out of date Flash plugins pose a significant risk.
http://www.webologist.co.uk/2009/05/gumblar-virus-threat-to-the-internet-how-to-remove.html.
Please note that this information is accurate to the best of our knowledge, but if we become aware of new information we will update this article.
Last update 15.19, 8th September 2009