There is a malicious iframe attack going around affecting quite a few websites. I’ve recently helped out two clients with this issue and want to pass along the information I garnered to help anyone else with this problem.
First, this is an iframe exploit. Basically what this means is it embeds an iframe code into your web page(s). It attacks both html and php pages.
Wondering how it was able to attack in the first place? There are two possible ways for this to occur:
1) Your server is compromised
This is the most common way. Some of the websites residing in the same web server as your website may have been compromised and in turn that caused the web server to be compromised. Once the server is compromised, the worm will spread to all the websites on the server.
2) Through your client side FTP
The worm resides in any of the client side PCs you use for accessing the ftp/control panel accounts of your hosting server.
When you type in the username and password for the ftp/control panel account, the worm silently reads the credentials, accesses your ftp account and infects the files in the server. It adds the iframe code to all index.* files.
How to get rid of it? To cover all your bases, ensure you start with your client side computer used to ftp files to your server. You will need to search through each and every file associated with your site and look for the malicious iframe code, remove it, and then save the files. Check all folders that hold images – usually these folders will not have an index file in place. If you see one, remove it. Once you are certain all local files have been cleaned, repeat the same procedure with all files on your server.
Depending on the size of your site, this can be a very tedious task. Ensure you have all your vital information saved – this includes any database information as well as important files. Then, do a complete virus check on your computer to eradicate any further virus attacks.