Attack of the binglbalts

We started seeing a lot of websites infected with a malscript that looks like:

iframe frameborder="0" onload=' if (!this.src) { this.src=""; this.height=0; this.width=0; } '>/iframe

In Joomla sites we’ve found it in /templates/index.php toward the bottom. In WordPress blog sites, we’ve seen it in the footer.php file.

We’ve usually been finding them toward the bottom of webpages. As of this writing the domain is still active.

It turn out the result of these infections has been stolen FTP credentials. We’ve been able to view the logs of numerous sites that have been hacked by and we can see the IP addresses of where the infection is coming from.

To clean this, first change all FTP passwords.

Second, you’ll have to download your entire site onto your PC or Mac. Then use grepWin and use this as the search string:

iframe/s*frameborder=\"0\" onload=\' if \(\!this\.src\)/s*\{/s*this\.src=\"http:\/\/binglbalts\.com\/grep\/\"; this\.height=0; this\.width=0;/s*\} \'><\/iframe

For the replacement string in the field "Replace with:", leave that field blank. Then set the following:

Search case-sensitive: unchecked
Dot matches newline: check
Create backup files: check
Treat files as UTF8: uncheck

Include system items: check
Include hidden items: check
Include subfolders: check

First hit the Search button. Just to see the files in the Search results window. Then hit Replace. This will find and remove the malscript and create a backup of the original file with the malscript.

This will find it all files with that string in there and remove them.

Then copy the cleaned files to your website.

In a few instances, we've been seeing some .php backdoors associated with infections. These are usual backdoors we see with this code in them:


To be sure you don't have that in any of your files use grepWin and this search string:

<\?php/s*eval\(base64_decode\([\'|\"].*?[\'|\"]\)\); \?>

Examine any files that show up in your Search results window for grepWin. If that's the only line in the file, then just delete the file from your website. If that's not the only line in your webpage, then use grepWin to Replace that string with nothing and you should be clean. Often times we've found this string in gifimg.php or mailcheck.php.

If you have any questions or comments, please feel free to post them. Or you can send me an email at: