The iframe tag is an HTML tag used to embed content from another web page or website. Like most useful things, iframes can be used for good or for bad. An injection is something inserted by a third party into a website. An iframe injection then, is an injection of one or more iframe tags into a web page's content. The iframe typically does something bad, such as downloading an executable application that contains a virus or worm in it… something that compromises a visitor's system.

With iframe injections, attackers or hackers insert their iframe codes inside your website page. They use Trojan malware to do it. Normally they will target your index.html, index.php, default.php or configuration.php page. They will insert their codes inside your website, so when visitors visit your page they will download their malicious code inside their personal computer.

How To Clean Up After An Iframe Injection

If you have had an iframe injection attack, it is critical that you perform a thorough cleaning of your PC and any other PC that can FTP to your website. The hackers may be attacking your website via a virus that they may have downloaded to your computer without you realizing it. Even though you change passwords, and remove the iframes, you may still be vulnerable to iframe injections.

The virus will take your new passwords and make them available to the hacker. First, it knows the files and default locations of various FTP software, FileZilla, WS_FTP and many, many others. When users tell their software to save their logon credentials, it saves this information in a file on the computer. Then when you want to send an update to your website, the login information is already there.

The virus looks for these files, opens them, reads the information and then sends it to a server where it's used to login to the website with valid credentials. There's no need to "crack" the password, which is why strong passwords aren't a defense in this case.

Second, the virus may install a keyboard logger. With everyone telling people not to save their FTP username and passwords, hackers started installing keyboard loggers for those who type their passwords in each time. Again, the stolen information is sent to a server that infects the website.

Third, the virus "sniffs" the FTP traffic leaving the PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see the username and password, capture it, and send it to a server.

Fourth, the virus will inject the malscript (the infectious iframe) into the FTP data stream as it leaves the user's PC. This variant is sneaky in that the website logs will show that FTP traffic originated from a valid source, with valid FTP credentials.

Depending on the virus on your computer, you may have to install a new anti-virus program. The virus may know how to evade detection of the current anti-virus. It doesn't matter what's being used currently, you may have to install something different.

Once you believe you have removed the iframe injections from your web pages, perform a complete virus scan of your PC before you start to change passwords. This will at least ensure that any new passwords will not be available to the hacker if the virus has been removed.

Use iframe scan tools on a daily basis to check for iframe injection attacks. Then, should you have iframe injection again, it probably may not be the result of a faulty script or weak FTP passwords, but the result of a virus on your PC with FTP access to the infected website. You need to remove this virus before creating new passwords.

You can use the following protection methods:
1) Scan and thoroughly clean your PC
2) Change all your FTP passwords
3) Change your hosting and database passwords
4) Check all files for this iframe injection, not just index pages. It could be everywhere you have body tag. Use the iframe scan tools daily
5) Check all your .htaccess files, you might find one in every folder, created by this virus. Make sure it is your .htaccess file and has not been modified.
6) Check your web page CHMOD file permissions


Once you've found an iframe and have determined that it's not legitimate, you have to remove it from the webpage. When you have fixed your iframe problems, you shouldn't think of it as "I installed security, I'm good now" but rather use it as a way to tightening up the server. You should do that because even the latest software might have some holes in it which can be used.

This page was published on It was last revised on



  • Votes
  • Oldest
  • Latest