Scan website files for embedded iframe virus

There are definitely a lot of embedded IFRAME attacks going on at the moment! If you’ve been caught out and got this code onto your website(s) (see my previous post outlining Filezilla ftp connection user name and password vulnerabilities) then it might be difficult for you to find every last file infected by this malware on your website.

Of course the first thing to do after removing the malware from your PC, changing your ftp passwords and swapping to a different ftp client (?!) is to re-upload all your files to your website. But uploading a whole backup copy of your website is always nerve-wracking: there is always the uncertainty that you HAVE made some minor update that you forgot to back up.

Instead you can scan the website for files containing iframes and intelligently delete those iframes or re-upload just those files affected. By scanning your website for embedded iframe virus affected files after you’ve completed the cleanup you can also assure yourself that you have now got a clean site!

So here’s a script we adapted from some previous work that should help you scan your website for embedded iframe virus affected files. Its written in PHP and you’ll possibly need to edit it to set it up just the way you want it, but it should be self explanatory – I hope.

  • Unzip it and then copy it to your website document root.
  • Visit the address you uploaded it to, e.g.

It will then show all the files it has checked and highlight any files in which it has found the signature ‘iframe’ within. Note that this might find spurious files as you might have a blog that mentions iframes. You could change the detection signature to <iframe but what if the malware has injected < iframe or < iframe – hence why we just check for iframe: better safe than sorry!

To eliminate spurious files the script will ignore files over a certain size and of certain types (both can be updated in the header of the file). It will also ignore files before a certain date, so if you know the website caught the iframe injection attack on 10/8/2009 then you can set it to ignore files before 1/8/2009, thus when you scan your website for injected iframes it’ll false trigger less.

There are a couple of url parameters that you might find useful; you can use the following forms:

  • detect-signature.php?detect_errors_only
    This will look for any iframes and just display an OK or not OK result.
  • detect-signature.php?detect_errors_only
    This will look for any iframes and display every file it finds one in.

We hpoe that’s of use to you, if it is then do link to this article – it helps our SEO a little and it might help other people!

UPDATE: Latest news seems to say that there is a huge increase in attacks from FaceBook apps in the first 6 months of this year – take care out there!

This entry was posted in Web Hints & Tips and tagged . Bookmark the permalink.

6 Responses to Scan website files for embedded iframe virus

  1. Mahesh S. says:

    Amazing Tool For The Entire Web Community. Keep the good work going and the whole world will remember you for developing such a tool


  2. LNTH says:

    The file is not at anymore:
    "Page not found
    Sorry, the page you were looking for in the blog WebSanity Internet Marketing & SEO Blog does not exist."
    Could you please re-upload the file or send me via email at
    Thank you!

  3. WebSanity Internet Marketing says:

    Oops, sorry. This was caused by a real headache created by Google when they stopped allowing Blogger to serve blogs as, for example, and we had to change to

    I have now put some .htaccess code in place so this should now be working again, despite the change.

  4. IsBinod says:

    I searched for the web several times and every time I got zero results until I discovered this site. This script is awesome. Thanks.

  5. Anonymous says:

    thank you very much… i searched and searched my files for days but your tool had me sorted withing a minute!

  6. website designers southampton says:

    I like this Amazing Tool!
    I read this informative article. Thanks this Scan website files for embedded iframe virus post at this site.

About Gerald Thulbourn

Gerald Thulbourn setup WebSanity in 2004. He has a 1st class honours MEng in Microelectronics & Software Engineering (i.e. he's a techy), 5 A grades at A level (i.e. he works hard) and loves to communicate (i.e. odd for a techy). He hates tech speak, sloppy/badly tested code, and technology for the sake of technology's sake. He loves helping people understand marketing concepts and seeing how their application makes a real difference to their business. In particular he loves training; SEO, Website Analysis, WordPress etc. Read more about us on Google+