Comments on: HEUR:Trojan.Script.Iframe

By: gerold

gerold — Wed, 08 Jul 2009 00:49:09 +0000

@ Chris – if you receive an Trojan alert on Kaspersky when you visit your site, it’s infected – you need to check your codes for new lines added or replaced.

By: Chris

Chris — Mon, 06 Jul 2009 13:25:06 +0000

Hello ,

It seems kaspersky is blocking my companys website due to a trojan.

Can anyone tell me if it actualy is infected ? We will need to fix it asap if so.

By: gerold

gerold — Mon, 22 Jun 2009 04:43:51 +0000

@ArKUStudio – based on discussions and comments above, I think it’s better if you cleanup your sites/codes, change ftp passwords, and scan pc’s of those who have access to ftp. Then after that monitor your site if the virus return then check the ftp logs. Also, review file/directory permissions if they world-writable.

By: ArKu Studio

ArKu Studio — Fri, 19 Jun 2009 07:58:18 +0000

Well, first of all, sorry for my bad english.

I work on a company which is based on web technology, and we was working on 5 sites on Monday, and all those 5 sites was infected what which not can say for other clients ( they are not infected ). We have scanned our PC-s with Kaspersky, BitDeffender, Norton Internet Security and Norton Antivirus, AVG, Avista, Mcaffe and Nod and non of them find a virus on our PC-s.

Can anyone tell me CLEARLY is the problem in our PC-s or where is this problem.

ps. also we have changed the FTP passwords but no susses yet

By: Murat Demirten

Murat Demirten — Sat, 13 Jun 2009 16:15:58 +0000

I’ve just a simple ruby script, it uses nokogiri gem and parse files as xml, so alternative-multiline writings of script or iframe codes can be catched and corrected, maybe it can helps for someone too:
http://linux-tips.org/article/97/multi-conditional-search-and-replace-clearing-a-ftp-trojan-script-example

By: MK

MK — Mon, 08 Jun 2009 10:15:51 +0000

I have faced the same issue of accessing the site and getting a warning message instead of the original page. Most probably the issue will be with iframe . In my case also there were iframe entries but they were valid entries.

After checking further only i realised that some of the files of the site was using another Urls in the code. These other Urls are infected (which are not hosted on our server ) and thus our site is infected :/

Removing those Urls resolved the issue

By: Eric DB

Eric DB — Sat, 06 Jun 2009 21:15:38 +0000

Wow! This is what I was looking for, thanks so much for posting these helpful scripts.

I had to change the regex to get it to work with my particular situation. Posting here in case someone else might enjoy:

#!/bin/bash
grep -Z -R “eval(String.fromCharCode(118,97″ /path/to/site/* >> affected_file_list.txt

while read line
do
echo “Cleaning: ” $line
perl -pi -e ’s/\eval\(String\.fromCharCode\(.+\//g’ $line
perl -pi -e “s/\//g” $line
done < affected_file_list.txt
echo “Done”

By: kerwin

kerwin — Wed, 03 Jun 2009 08:05:42 +0000

im having same problem as well and it’s annoying..

avira didnt detected the virus kaspersky did..

By: Andrew Benitez

Andrew Benitez — Tue, 02 Jun 2009 22:39:27 +0000

I also removed write permission for Admin. I’m hoping this will fix the issue.

It’s so annoying to have this issue with ALL of my PHP sites.

By: IFrame Malware Script « Michael Jay Cantrell

IFrame Malware Script « Michael Jay Cantrell — Sat, 30 May 2009 02:02:13 +0000

[...] This is used to write an iFrame to your site that links to malware. It seems the internet has been abuzz lately over this. The most useful link I’ve found is this one. [...]