I am getting an iframe injected just before closing html tag consistently on some pages and sometimes on others. Cannot locate it or a script that generates it in source. But somehow it shows up on the served page. There is a google tracker and openX scripts in the code as well. Pages use PHP, Javascript and HTML of course. Just for further info, the iframe shows up as a little block on bottom of page (in FF). The iframe encloses <snip/> which un obfuscates as <snip/>. Some users are getting a virus warning.
Any help or pointers much appreciated.
Howard
Thanks for reply. It is not a CMS site. The code injected in the iframe is a javascript file on one site (dreamonisland.com) which brings up a cgi script on another site (daddyseye.net) . The iframe shows up as 1 pixel by 1 pixel. Only noticeable in Firefox and draws the page down to the bottom. As before any suggestions are welcome.
Thanks Crazybanana,
Your suggestions and pointers were very helpful.
ah ok. the iframe is triggering two remote exploits. one for buggy unpatched pdf and the other targets .swf.
it’s a stack based buffer overflow in acrobat, it allows arbitratry code to execute via a pdf file that calls a javascript function.
looks a bit like the 'ol gumblar exploit. you should probably clean your pc as well as the server.
start cleaning the server for any unknown files and folders. also check your files forunknown or obfuscated code.
do you use some kind of CMS on your site?
there wasn’t much information left in this post, but from what i can read the iframe is injected into the source, which means there has to be some malicious files on your server.
if you are using a CMS a popular place for hiding such files would be in the plugins folder(s). you should check all your files and folders on the server.
these files can embed themself to other files, and disguise themself as legal files and pictures etc. so they can be hard to spot
is the iframe triggering a virus or flash/pdf exploit, or perhaps something similar?
i guess we will need some more information about your page and this iframe.