Wednesday, August 6, 2008

How to fix or iframe infections

A lot of popular scripts developed for PHP 4 are currently being hacked through a tmp directory exploit. This is affecting web masters all over the place, so we've decided to do something about it, and write this little blog post in case it helps somebody.

If you see HTML code resembling iframe src="" being inserted into certain files on your web hosting account, you know that you are infected. I decided not to water that "infected" down to "affected" because loading a malicious 3rd-party file into your own web page is pretty serious business. Enough sobering up, let's get this solved!

Floogy Host clients, just ask us to sort it out for you. Everyone else, just follow along below:

1. SSH (or Telnet) into your web hosting account. If you don't know how, or can't connect for some reason, email the web address of this article to your server administrator, close this page, and get yourself a coffee.

2. You're in? Okay, just paste the below one-liner (right-click to paste if you're using the PuTTY SSH client on Windows) and hit Enter to sniff out files which may be infected:
grep -lir "pinoc" *
3. If no file names show, you are safe; go in peace. Else, head to the top-level infected directory, and then paste this perl one-liner after replacing "/path/to/start/from" with the path to your top-level infected directory. If you have any problems, be sure to make it a one-liner before pasting. Run step 2 again and you should see no file names show up.

Good deed ticked off, now I deserve my grilled cheese sandwich! Yes, linking to is the flavour of the week. I really don't see myself using it much, not while I'm this accustomed to Google's keyword-based search. But, it's pretty nifty for topic-based search.



At September 8, 2008 at 8:44 AM , Blogger Thomas Gail Haws said...

The perl script isn't working for me. I tried pasting in and escaping my particular infection, but still no dice. Can you think of any reason why there may be a failure?

As far as I can tell, no files are getting changed.

At September 16, 2008 at 10:44 AM , Blogger Gus Place said...

Worked like a charm.

Thank you a lot.

Do you have any tip on how to protect from this kind of attacks? How do they hacked us? I changed my password but I was thinking if this was the only thing I could do.

At September 29, 2008 at 3:52 PM , Blogger Simon Arthur said...

I've been seeing the effects of a similar attack. Part of the attack is now adding an @readfile() function call to include a file from "", spam for and

How do you know this is related to a /tmp directory exploit?

At September 29, 2008 at 8:17 PM , Blogger Peter said...

One of my sites has been hack in a similar way but the attack file comes from

(Thats the Google Alert age about it btw)

At October 15, 2008 at 12:26 PM , Blogger rock said...

I tried the perl command but got

xargs: unmatched single quote

any Ideas why

At October 19, 2008 at 10:16 PM , Blogger Cindy said...

Help! It seems it may have affected my database, too. I couldn't get the perl to work, so I have been manually deleting the code, but this is going to take forever. Please help.

I don't understand what the path should be. Can you show an example?

At November 7, 2008 at 9:25 PM , Blogger Floogy said...

That sucks; I wasn't notified of comments on this post or would have been glad to offer some advice sooner.

All you should need to do is replace "/PATH/TO/START/FROM/" with your absolute server path, and then paste it into your Linux command line, SSH shell or Telnet window.

What if I don't have root access to my server? Link your administrator to this post :)

What if I have a Windows server? Try Windows' Find and Replace instead, but paste the offending pinoc iframe code into the Find box directly from one of your own infected pages.

gus place said: Do you have any tip on how to protect from this kind of attack? Try your best to avoid world-writable directories in your public html folder. This would minimize your risk of being infected by pinoc and other similar scripts. Unfortunately, many popular scripts are configured by default to put them there.

Hope this helps! I will be emailed about any follow-up replies, so feel free to ask any more questions.

There are other measures which server administrators should take (like mounting the tmp directory as non-executable) to harden your servers up. But, since new exploits are released daily, the best defense is a regular file backup (at least weekly) and a daily database backup, retained for 5-10 backups before deletion, so that reverting to a sane, clean web site is a snap.

Most of all, don't let the bastards get you down! :)

At November 7, 2008 at 9:26 PM , Blogger Floogy said...

To get your "absolute server path" run the command "pwd" when you are in the highest-level folder which contains infected files. This will usually be your public html or httpdocs directory.

At December 18, 2008 at 5:52 AM , Blogger Bitcloud said...

This is great, but how do you prevent it from happening again? (it's happened before)

How do you find the security hole and plug it?

At February 9, 2009 at 10:39 AM , Blogger Henryk said...

Hi and thanks for the one liner, worked like a charm.

Does anybody have a list compiled of the scripts / apps that are being exploited?

Thi list would be useful, for the exploit infects all *.html files, header*.php, footer*.php and index.php files and there are A LOT of them in this server that i'm looking after. There are some oldish OsCommerce installs and another thing is that there are probably some scripts on the server, that have been written by quite inexperienced persons. So some kind of a list would be helpful (if it's OsCommerce as i suspect).

At April 9, 2009 at 11:35 PM , Blogger Glasses said...

Hey All,

I too have had my site compromised with the iframe attack.

System: Mac OSX 10.5.6
Installs: WP, Drupal and MT
Date of Compromise: 040709

The malicious code looked like this:

iframe src="_" width=1 height=1 style="visibility: hidden">/iframe

iframe src="_" width=1 height=1 style="visibility:hidden;position:absolute">/iframe


iframe src=_" width=1 height=1 style="visibility: hidden">/iframe

(i removed the corner brackets from the tags and added an underscore in front of the url)

I first learned of the compromise when a twitter follower notified me of a malware alert when he came to my site.

I poked around and discovered the multitude of iframe appended to end of my source code.

A quick (grep -r "iframe" .) in console informed me that hundreds of pages had been hacked (index, home, main, default).

Long story short I found a script that will go in and clean up your site. It was $10 and well worth it. You don't have to know any code so James your in luck.

The code is only set up for "" so if your attack is from a different site you have to change the name. Easiest thing to do is find and replace that url with the your pest url, save, run and repeat the process for other urls. In my case I had 3 different ones.

I got the code here:

So far so good... I've changed my passwords and permissions so we'll see if they strike again.

Hope this helps.

At June 12, 2009 at 6:20 PM , Blogger J said...

Sadly, some of this hacked site stuff might be too complicated or time consuming for many, particularly those with a business who need their site fixed asap, before they lose more customers or business.

Try either of these guys out, who will do all the work as well as help you prevent this form occurring again:

At December 20, 2012 at 2:16 AM , Blogger Jon Green said...

Does this one liner remove a line of code of just an expression?

I have some iframe content inserted before the closing body tag so it is in the same line - also some is inserted into legit popup code etc.

If I delete lines I shall hack some code to pieces.

Many thanks

~ J

At December 23, 2012 at 7:57 AM , Blogger Shamus Mac said...

@Jon Green hey there, thanks for stopping by. This will only remove the iframe tag, and will not take the entire line with it.

Having said that, before firing off any file manipulation script make a copy of your files in a temp directory to delete only after testing the outcome.

Good luck!

- Shamus Mac


Post a Comment

Subscribe to Post Comments [Atom]

<< Home