Author Topic: Code injected just before closing html. Difficulty locating source.  (Read 14103 times)

0 Members and 1 Guest are viewing this topic.

July 14, 2010, 05:34:32 pm
Read 14103 times

howardf

  • Newbie

  • Offline
  • *

  • 3
Hopefully someone here can help. I am getting an iframe inserted into a served webpage just before the closing html tag. I am having trouble locating the source. To be clear it does not show up in the source at the location it does when served. The site is PHP containing HTML, Javascript. There are Google and OpenX ads being displayed. The iframe contains a reference to http://dreamonisland.com/js/google.js.

Any pointers would be helpful

Howard

July 16, 2010, 01:22:13 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Apologies for taking so long.

Can you give us the URL to the affected page(s) so we can take a look please? (could you also tell us if the pages are static HTML, or contain dynamic content (i.e. pulled from a database)).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 16, 2010, 02:36:09 pm
Reply #2

howardf

  • Newbie

  • Offline
  • *

  • 3
The site is mostly dynamic with some static content.

July 21, 2010, 03:05:18 am
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Sorry for taking so long, I'm currently swamped with work and migrating to a new machine.

Has this been resolved yet?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 21, 2010, 04:24:04 am
Reply #4

howardf

  • Newbie

  • Offline
  • *

  • 3
After a fashion. We got the iframe to inject itself in between comment tags via a dummy closing html tag. Currently its appearance is erratic. We are still unclear on the origin.

July 21, 2010, 06:42:08 pm
Reply #5

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've been having a look round and for the life of me, can't get the iFrame to show it's face. Can you PM me a specific URL it's known to appear at please?

In the meantime, you can identify the file(s) or databases containing the malicious code itself, by searching for "eval", "document." and "script" (that's by no means all of them, but should be enough for a good start, and it's obviously worth noting that script will be everywhere if the site uses Javascript).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net