Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: mass iframe injection - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free! mass iframe injection


Over 10,000 legitimate websites have been compromised and now have an iframe that will direct visitors to a malicious website hosted on The malicious website attempts to exploit the vulnerability described in MS06-014 and a number of ActiveX vulnerabilities.

Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.

Recommended immediate action:

Block at your web proxy

Recommended follow-up action:

Inspect your web proxy logs for visitors to This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to
( Search your proxy logs for systems generating those requests and reimage the infected machines.

Protecting Browsers:

A properly-patched system should not be at-risk from this attack.  It is recommened to use a browser that does not support ActiveX.

Protecting Webservers:

Until details become available on how the iframe was injected, we have no recommendations.

Missing information:

We currently do not have details on how the iframes were placed on the websites.  If you are responsible for cleaning-up or investigating one of  the defacements, please contact us if you have information on how the compromise occurred.

Kevin Liston

292 Posts
ISC Handler
Mar 14th 2008
I see that various security researchers are debating the possibility of attackers using the caching feature of websites search software to add IFrame code to the saved search results on the sites.

Anyone come across this ?

On the assumption that this is a possible attack vector, wouldn't an immediate response advice be to disable site search caching on your website search software pending further investigation ?

14 Posts
You might want to mention, parenthetically, that MS06-014 should _not_ be confused with MS08-014, which was just announced earlier this week. Some folks might mis-read the first paragraph and get spun up over nothing.

Sign Up for Free or Log In to start participating in the conversation!