Sophos Anti-Virus detects Troj/Iframe-AG and/or Mal/Badsrc-C when you attempt to access a local database or visit a website.
This infection is most likely caused by SQL injection, a security vulnerability which allows a malicious source to perform operations on a database. This can occur either locally or remotely.
Attackers scan for web pages which may be susceptible to SQL injection, and an HTTP request is sent to the page which will insert malicious script into the related database.
Mal/Badsrc-C is detected when accessing a page which references a field in the database which has had malicious code inserted into it, most likely to redirect a user to a hijacked website.
What to do
Sophos Anti-Virus detects this malware but Sophos does not provide a database cleanup utility.
- Ensure that Sophos Anti-Virus on-access protection is enabled on the webserver.
- You must fix the security vulnerability in your website to ensure that the attack cannot take place again (see links below).
- The clients accessing the website should
- Stop browsing to it
- Clean up any viruses which will have been detected in temporary internet files.
The data cannot be cleared up because the data within the database has been compromised. The pages will often contain many malicious script tags, so to attempt to clean a page is risky and it can be misleading, because it is possible that some malicious code has not or cannot be removed.
Further information on SQL injection vulnerabilities
Microsoft has released an article on this vulnerability which links to methods to test for susceptibility to SQL attacks:
Additional information can be found on the Sophos blogs: