Code injected just before closing html. Difficulty locating source.

[howardf]

Hopefully someone here can help. I am getting an iframe inserted into a served webpage just before the closing html tag. I am having trouble locating the source. To be clear it does not show up in the source at the location it does when served. The site is PHP containing HTML, Javascript. There are Google and OpenX ads being displayed. The iframe contains a reference to http://dreamonisland.com/js/google.js.

Any pointers would be helpful

Howard

[MysteryFCM]

Apologies for taking so long.

Can you give us the URL to the affected page(s) so we can take a look please? (could you also tell us if the pages are static HTML, or contain dynamic content (i.e. pulled from a database)).

[howardf]

The site is mostly dynamic with some static content.

[MysteryFCM]

Sorry for taking so long, I'm currently swamped with work and migrating to a new machine.

Has this been resolved yet?

[howardf]

After a fashion. We got the iframe to inject itself in between comment tags via a dummy closing html tag. Currently its appearance is erratic. We are still unclear on the origin.

[MysteryFCM]

I've been having a look round and for the life of me, can't get the iFrame to show it's face. Can you PM me a specific URL it's known to appear at please?

In the meantime, you can identify the file(s) or databases containing the malicious code itself, by searching for "eval", "document." and "script" (that's by no means all of them, but should be enough for a good start, and it's obviously worth noting that script will be everywhere if the site uses Javascript).