Results 1 to 21 of 21
  1. #1
    Join Date
    Jun 2007
    Posts
    72

    * How to prevent iframe injection attack?

    I see a request in my log files :

    GET /?;DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST

    Followed by some codes ...

    There are too many pages on the Net about injection attacks , but all of I could find is in the level of news , apparently these types of attacks are increasing in current days , but no any cure?

    I think the injection attacks I found in logs is a kind of Asian iframe attacks which shows user the mandate of a video CODEC installation or such a thing ...

    My question : is it possible to prevent and block some of request strings in Apache? For example when a request arrives containing the above string?

    At the end , I want to insert those attacker IPs :

    58.61.134.17
    222.113.196.71
    123.19.164.40
    70.140.147.128
    82.66.91.243
    123.240.44.67
    60.210.103.158
    193.188.105.220

    ---------------------

  2. #2
    Join Date
    Dec 2002
    Location
    USA
    Posts
    339
    A nice solution is Mod Security if you are not using it already. It will block alot of those injection attacks with the proper filters.

  3. #3
    Join Date
    Jun 2007
    Posts
    72
    Thanks FrontPage1 , is it possible to learn it during some few days?

    Do you know some useful resources?

  4. #4
    Join Date
    Jul 2007
    Posts
    2,051
    Though all the security measures can block iframe sql injections, they are not fool proof solutions. The best way to prevent SQL injections is to make sure the coding is done keeping the security perspectives in mind. I have noticed many programmers writing bad piece of code and the applications getting attacked by the SQL Injections. In such a case, the programmers have to be forced to correct the code.

  5. #5
    I agree with prashant1979. The gateway is the badly written code and that needs to be taken care of first.

  6. #6
    Greetings:

    See http://groups.google.com/group/stopb...818a35ff3d37a4 and http://groups.google.com/group/stopb...660efeada77216 in terms of our experiences with this issue.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  7. #7
    Join Date
    Dec 2002
    Location
    USA
    Posts
    339
    Quote Originally Posted by xoleno View Post
    Thanks FrontPage1 , is it possible to learn it during some few days?

    Do you know some useful resources?
    Are you using Cpanel? If you are, it is very easy to install and configure Mod Security. There are plenty of filters to block sql injection and protect poorly coded php/mysql scripts.

  8. #8
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Do NOT rely on CPanel to do your administration work for you. Installing and configuring mod_security is not something that can be 'automated' by something like CPanel. You need to take god knows how many variables into affect, including what you're running on the server itself.

    mod_security is NOT an all encompassing, or all in one solution. It's more of a pain in the tail end than a solution. A PROPER solution is to keep your server updated, patched, and worm free.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  9. #9
    Join Date
    Jun 2007
    Posts
    72
    I found a book "Apache Security" , apparently written by the creator of mod_security , a little difficult for me to understand but I'm trying , hope to find an easier source.

    Unfortunately this is a Plesk VPS , currently Apache gives code 200 to the above GET string and this is not a good symptom.

    However seems no any of files are changed or infected , had a look to all of logs 3 times , I always upgrade and install newer version of softwares , but some things are wrong , the rsyslog was stopped and I observe abnormal changes in websites traffic , ...

  10. #10
    Forget about blocking the ips, these attempts are distributed thru dummy machines.

    I added the below to my htaccess and stopped them dead.

    Code:
    RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
    RewriteRule .* - [F]
    Technical Advisor for new A&E Series The Killing Season
    There are no random acts of violence
    Starts November 5th!

  11. #11
    Join Date
    Jun 2007
    Posts
    72
    Many thanks for the code AHFB.

    Dummy machines? You mean forged IPs?

  12. #12
    Join Date
    Oct 2005
    Posts
    435
    not forged.. but bots.. basically machines controlled by someone or a group.

    Anyway .htaccess is definately the way to go to ignore the generic attacks but getting nicely coded applications and using the most updated versions is nice. Personally mod security is nice in the sense that you use it to tighten the security. Of course you shouldn't think of it as "I installed mod security, I'm good now" but rather use it as a way to tightening up the server. I do that because even the latest software might have some holes in it which can be used.

  13. #13
    Join Date
    Dec 2002
    Location
    USA
    Posts
    339
    Quote Originally Posted by linux-tech View Post
    Do NOT rely on CPanel to do your administration work for you. Installing and configuring mod_security is not something that can be 'automated' by something like CPanel. You need to take god knows how many variables into affect, including what you're running on the server itself.

    mod_security is NOT an all encompassing, or all in one solution. It's more of a pain in the tail end than a solution. A PROPER solution is to keep your server updated, patched, and worm free.
    Sure everyone should know how to administer their servers without fancy GUI interfaces. But that is not reality. If it was then Cpanel would not have hundreds of thousands of users.

    If most noobie end users could keep their servers patched, updated, and worm free -- they really would not need cpanel. But they do. So, attacking CPanel is not really logical.

    And yes, Mod Security fills the needs of the overwhelming majority of servers out there. No, it is not the end all be all, but it is a nice useful utility that is EASY to use.

  14. #14
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    linux-tech makes a good point though. If you rely solely on mod_security to protect you, and you have insecure scripts on the server, one day it will bite you. As an example, if you have a hungry lion in a room with a closed door, you're safe. But if someone manages to open the door, they'll get eaten. Better to lock the door AND feed the lion well AND keep the lion in a cage. If someone opens the door by accident then, they'll be OK.

    However, I've found mod_security fantastic, and wouldn't do without it. For instance, it's not fun to need to upgrade 30 Joomla 1.5 sites in a hurry because of the token password reset bug. (although in that case a simple locate/cksum could be used to identify existing insecure files and replace; that's not always an available solution though).

  15. #15
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    If it was then Cpanel would not have hundreds of thousands of users.
    You say that like CPanel is the 'ultimate' systems admin tool. It's not. It's not even anywhere NEAR the top of the chart, because it's NOT intended to keep people 'up to date'.

    The primary goal and focus of CPanel is to be a Control Panel, something designed to help people do their job easier (ie: create email, add mysql databases, domains, ftp accounts). It is NOT a 'security' software.

    Too many people recently have relied on CPanel to be their 'systems admin', when that's just not the job of CPanel. Oh sure, it's tried so hard to do it, but it CAN NOT, and WILL NOT ever take the place of a qualified systems admin.

    Administration is so much more than looking at a pretty front end in your browser. That's ALL Cpanel is, a pretty front end. It does a lot of things for you, but it can not administrate your server for you. YOU must have the skill and the talent to do that yourself.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  16. #16
    Join Date
    Aug 2008
    Location
    Shoreline WA
    Posts
    160
    To focus on your question, not arguing about what cPanel is or is not, or the value of an experienced server administrator, I would have to say yes to your question. There is a way to filter those requests out, but setting up any kind of a filter is only a band-aid on a wound that needs to heal. I would suggest only using that as a temporary solution while you work out the actual problems in the old exploitable code. Then again you may already know this, and you just wanted a band-aid so you can work on fixing the root of the problem. I would suggest following some of the links mentioned by "dynamicnet", or if you do not do your own programming, find an experienced admin (programmer experienced in security matters) and have him work the code over.

  17. #17
    Join Date
    Jun 2007
    Posts
    72
    Fortunately I had not set any database on that server , all of databases are in other protected and managed DC , also I believe that banning IPs was effective , many of hackers are just children who study some attacking methods in books or learn some thing in university and want to examine it , so blocking the IPs can send a warning to them and also warning to network managers about the persons who rent their servers.

    When their group try some times and see every thing is secure , they go to their way.

    Beside this , I appreciate all of helps and kind messages.

  18. #18
    Join Date
    Dec 2002
    Location
    USA
    Posts
    339
    Quote Originally Posted by linux-tech View Post
    You say that like CPanel is the 'ultimate' systems admin tool. It's not. It's not even anywhere NEAR the top of the chart, because it's NOT intended to keep people 'up to date'.
    Never wrote Cpanel was the 'ultimate systems admin tool'. You invented that part.

    I stated that Cpanel serves a function for server owners who are not proficient in running server admin functions without a GUI.

    You might want to let the Cpanel staff know you can't 'update' system software using their product. They probably would be surprised by that 'fact'.

    If this was a perfect world, every server owner could admin and write code on their own. But, the vast majority of server admins are noobs and need their hand held in running a server. Cpanel is that hand holding for many and many grow from that experience into learning command line functions. To trash Cpanel is just silly.

  19. #19
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    Quote Originally Posted by brianoz View Post
    However, I've found mod_security fantastic, and wouldn't do without it....
    I forgot the most important part of this; which was to say that why mod_security works well for me is that it works together with CSF to firewall off anyone who is testing dodgy URLs. This means that in general they only get a few chances to try SQL injection/URL inclusion/etc/etc before getting cut off; mostly this means they'll then move on and try a softer target (because it's an automated scanner). While mod_security by itself is OK, it only slows things down a little - the attackers just retry URLs until they find one that isn't matched and blocked in mod_security.

  20. #20
    Join Date
    Jul 2002
    Location
    Victoria, Australia
    Posts
    36,941


    This isn't a discussion about cPanel, please stick to the topic.

  21. #21

    Quick question

    Quote Originally Posted by AHFB HTML View Post
    Forget about blocking the ips, these attempts are distributed thru dummy machines.

    I added the below to my htaccess and stopped them dead.

    Code:
    RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
    RewriteRule .* - [F]
    Hi,

    Apologies on resurrecting an old post, but I was wondering if this has to work in conjunction with any other code or is it fine to put as a standalone entry in your .htaccess file?

    In laymans terms how does it handle rewrites?

    Many thanks in advance.

    K.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •