Malware Domain List

Malware Related => Compromised Servers => Topic started by: howardf on July 14, 2010, 05:34:32 pm

Title: Code injected just before closing html. Difficulty locating source.
Post by: howardf on July 14, 2010, 05:34:32 pm
Hopefully someone here can help. I am getting an iframe inserted into a served webpage just before the closing html tag. I am having trouble locating the source. To be clear it does not show up in the source at the location it does when served. The site is PHP containing HTML, Javascript. There are Google and OpenX ads being displayed. The iframe contains a reference to http://dreamonisland.com/js/google.js.

Any pointers would be helpful

Howard
Title: Re: Code injected just before closing html. Difficulty locating source.
Post by: MysteryFCM on July 16, 2010, 01:22:13 pm
Apologies for taking so long.

Can you give us the URL to the affected page(s) so we can take a look please? (could you also tell us if the pages are static HTML, or contain dynamic content (i.e. pulled from a database)).
Title: Re: Code injected just before closing html. Difficulty locating source.
Post by: howardf on July 16, 2010, 02:36:09 pm
The site is mostly dynamic with some static content.
Title: Re: Code injected just before closing html. Difficulty locating source.
Post by: MysteryFCM on July 21, 2010, 03:05:18 am
Sorry for taking so long, I'm currently swamped with work and migrating to a new machine.

Has this been resolved yet?
Title: Re: Code injected just before closing html. Difficulty locating source.
Post by: howardf on July 21, 2010, 04:24:04 am
After a fashion. We got the iframe to inject itself in between comment tags via a dummy closing html tag. Currently its appearance is erratic. We are still unclear on the origin.
Title: Re: Code injected just before closing html. Difficulty locating source.
Post by: MysteryFCM on July 21, 2010, 06:42:08 pm
I've been having a look round and for the life of me, can't get the iFrame to show it's face. Can you PM me a specific URL it's known to appear at please?

In the meantime, you can identify the file(s) or databases containing the malicious code itself, by searching for "eval", "document." and "script" (that's by no means all of them, but should be enough for a good start, and it's obviously worth noting that script will be everywhere if the site uses Javascript).