A couple of weeks ago I mentioned howmemwg.com had been flagged by Google as being a “bad” site because it was hosting “malware”. This wasn’t something I had done, the site was subject to aniframe injection. It took me a while to find and fix the problem, but since I’ve had some questions about iframe injections here is a quick and dirty guide to dealing with them.
The “iframe” Tag
Like most useful things, IFrames can be used for good or for bad.
An injection is something inserted by a third party into a website. The most common kind of injection is a “SQL injection”, which is an injection into a database (SQL is the language commonly used to program and access databases… many people pronounce it as “sequel“, by the way, which is why I say “a SQL injection” as opposed to “an SQL injection”.)
Most injections are SQL injections. If a website developer isn’t careful, they can easily leave backdoors open that nefarious types can use to insert random data into a database… or even worse do things like wipe out the database.
WordPress blogs are ripe for iframe injections, since they’re backed by a database…
An iframe injection is an injection of one or more iframe tags into a page’s content. The iframe typically does something bad, such as downloading an executable application that contains a virus or worm in it… something that compromises a visitor’s system.
If you have a very recent browser (like Firefox 2) then iframe injections aren’t really a worry — these browsers are smart enough not to automatically download and run applications without your permission. But older browsers are more trusting.
Finding IFrame Injections
To find iframe injections, look through the HTML your web server is sending. Open a page in your browser and then use the browser’s “view source” option to see the HTML. Look for <iframe> tags. Injections usually insert iframes that point to raw IP addresses (something like “188.8.131.52″) instead of domain names. Treat these as suspicious.
Once you’ve found an iframe and have determined that it’s not legitimate, you have to remove it from the page or database it’s coming from. On a WordPress blog you simply edit the page in question and look for the &lgt;iframe> and remove it.
That’s pretty much it. Keeping your WordPress (or other database-backed software) up-to-date with the latest fixes is the best way to avoid these kinds of problems.