infected by iframe hack :(

Hi guys,

So im infected by the iframe hack, has anyone had something like this?
Worst thing about this hack is it looks like its dynamically moving around, sometimes its there, and then suddenly its not.

See this screenshot example, i used Vurl online scanner - tried a few other ones they show nothing though...



I have checked all pcs on network, no sign of trojan, so have no clue when or how the website got infected so far. I will check the ftp log files later today for the last month or so.

Only thing i found in regular template was some dodgy javascript link but that was about it, this was before the online scan btw.

Has anyone experienced this before, and how to deal with this?

Would need to know more about your full server details (see my signature), your MODx install version and other applications running on your server.

Same for me: "iframe infection"

modx Evo 1.04
Apache 2.2.12
MySql 5.1.37
Php 5.2.13

SMF Forum installed on the same domain (on another DB)

Which version of SMF banzai?

Modx version: 0.9.6.3
Apache/1.3.41 (Unix)
PHP/5.2.13
FrontPage/5.0.2.2635
MySQL client version: 4.1.22
Mysql Server version: 4.1.22

Ive checked ftp logs and modx logs cant find anything.

I fear it might of been some sort of sql injection? I did find a trojan on a pc that had access to the site, kaspersky didnt detect this - ad-aware did the job

Trojan that i found ( since this could be related and some ppl might fell over this thread ) Win32.Trojan.AntiAV/AC Engine

Still stuck though im slowly doing text backup on the site as im thinking only solution left is a complete reinstall with newest modx

SMF 1.1.1

But infection (iframe) is in MODX pages / templates.

Banzai do you have the same issue as me, meaning: you can see the iframe injection only at certain times with online scanners, yet its not there when you actually check source code/ templates.

Another thing to note: i have scanned all my ftp files with avira / ad aware no detection what so ever

Yes! No iframe code, in the source code or in modx templates/chunks

pocketp , what kind of onlinescan do you use?

But can you see the iframe code on your page when your browsing - is the position the same? or does it dissapear after page refresh? how did you detect the injection in first place?

My Avira antivirus advised me about the virus and a couple of hours later i received a mail from Google Webmaster tool.

The only iframe i can see on the site, is Google Adsense