hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : How to prevent iframe injection attack?
Reply

Forum Jump

How to prevent iframe injection attack?

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 08-26-2008, 10:30 AM
xoleno xoleno is offline
Junior Guru Wannabe
 
Join Date: Jun 2007
Posts: 72
*

How to prevent iframe injection attack?


I see a request in my log files :

GET /?;DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST

Followed by some codes ...

There are too many pages on the Net about injection attacks , but all of I could find is in the level of news , apparently these types of attacks are increasing in current days , but no any cure?

I think the injection attacks I found in logs is a kind of Asian iframe attacks which shows user the mandate of a video CODEC installation or such a thing ...

My question : is it possible to prevent and block some of request strings in Apache? For example when a request arrives containing the above string?

At the end , I want to insert those attacker IPs :

58.61.134.17
222.113.196.71
123.19.164.40
70.140.147.128
82.66.91.243
123.240.44.67
60.210.103.158
193.188.105.220

---------------------



Sponsored Links
  #2  
Old 08-26-2008, 11:01 AM
Frontpage1 Frontpage1 is offline
Web Hosting Guru
 
Join Date: Dec 2002
Location: USA
Posts: 337
A nice solution is Mod Security if you are not using it already. It will block alot of those injection attacks with the proper filters.

  #3  
Old 08-26-2008, 12:08 PM
xoleno xoleno is offline
Junior Guru Wannabe
 
Join Date: Jun 2007
Posts: 72
Thanks FrontPage1 , is it possible to learn it during some few days?

Do you know some useful resources?

Sponsored Links
  #4  
Old 08-26-2008, 01:21 PM
prashant1979 prashant1979 is offline
Eternal Learner
 
Join Date: Jul 2007
Posts: 1,911
Though all the security measures can block iframe sql injections, they are not fool proof solutions. The best way to prevent SQL injections is to make sure the coding is done keeping the security perspectives in mind. I have noticed many programmers writing bad piece of code and the applications getting attacked by the SQL Injections. In such a case, the programmers have to be forced to correct the code.

  #5  
Old 08-27-2008, 04:35 AM
maxknight maxknight is offline
Web Hosting Guru
 
Join Date: Mar 2004
Posts: 287
I agree with prashant1979. The gateway is the badly written code and that needs to be taken care of first.

  #6  
Old 08-27-2008, 10:13 AM
pmabraham pmabraham is offline
Web Hosting Master
 
Join Date: Dec 2001
Posts: 5,221
Greetings:

See http://groups.google.com/group/stopb...818a35ff3d37a4 and http://groups.google.com/group/stopb...660efeada77216 in terms of our experiences with this issue.

Thank you.

__________________
---
Peter M. Abraham
LinkedIn Profile


  #7  
Old 08-27-2008, 11:27 AM
Frontpage1 Frontpage1 is offline
Web Hosting Guru
 
Join Date: Dec 2002
Location: USA
Posts: 337
Quote:
Originally Posted by xoleno View Post
Thanks FrontPage1 , is it possible to learn it during some few days?

Do you know some useful resources?
Are you using Cpanel? If you are, it is very easy to install and configure Mod Security. There are plenty of filters to block sql injection and protect poorly coded php/mysql scripts.

  #8  
Old 08-27-2008, 12:59 PM
twhiting9275 twhiting9275 is offline
Just me
 
Join Date: Sep 2002
Location: Among the corn
Posts: 10,423
Do NOT rely on CPanel to do your administration work for you. Installing and configuring mod_security is not something that can be 'automated' by something like CPanel. You need to take god knows how many variables into affect, including what you're running on the server itself.

mod_security is NOT an all encompassing, or all in one solution. It's more of a pain in the tail end than a solution. A PROPER solution is to keep your server updated, patched, and worm free.

  #9  
Old 08-27-2008, 01:29 PM
xoleno xoleno is offline
Junior Guru Wannabe
 
Join Date: Jun 2007
Posts: 72
I found a book "Apache Security" , apparently written by the creator of mod_security , a little difficult for me to understand but I'm trying , hope to find an easier source.

Unfortunately this is a Plesk VPS , currently Apache gives code 200 to the above GET string and this is not a good symptom.

However seems no any of files are changed or infected , had a look to all of logs 3 times , I always upgrade and install newer version of softwares , but some things are wrong , the rsyslog was stopped and I observe abnormal changes in websites traffic , ...

  #10  
Old 08-27-2008, 03:49 PM
AHFBWEB AHFBWEB is online now
Web Hosting Master
 
Join Date: Apr 2003
Posts: 2,273
Forget about blocking the ips, these attempts are distributed thru dummy machines.

I added the below to my htaccess and stopped them dead.

Code:
RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
RewriteRule .* - [F]

__________________
AHFBWEB Less customers per server, more power for you!
Fully Managed
Business Class Shared Hosting - VPS - Dedicated

  #11  
Old 08-27-2008, 11:33 PM
xoleno xoleno is offline
Junior Guru Wannabe
 
Join Date: Jun 2007
Posts: 72
Many thanks for the code AHFB.

Dummy machines? You mean forged IPs?

  #12  
Old 08-28-2008, 02:15 AM
Darvil Darvil is offline
Aspiring Evangelist
 
Join Date: Oct 2005
Posts: 435
not forged.. but bots.. basically machines controlled by someone or a group.

Anyway .htaccess is definately the way to go to ignore the generic attacks but getting nicely coded applications and using the most updated versions is nice. Personally mod security is nice in the sense that you use it to tighten the security. Of course you shouldn't think of it as "I installed mod security, I'm good now" but rather use it as a way to tightening up the server. I do that because even the latest software might have some holes in it which can be used.

  #13  
Old 08-28-2008, 11:58 AM
Frontpage1 Frontpage1 is offline
Web Hosting Guru
 
Join Date: Dec 2002
Location: USA
Posts: 337
Quote:
Originally Posted by linux-tech View Post
Do NOT rely on CPanel to do your administration work for you. Installing and configuring mod_security is not something that can be 'automated' by something like CPanel. You need to take god knows how many variables into affect, including what you're running on the server itself.

mod_security is NOT an all encompassing, or all in one solution. It's more of a pain in the tail end than a solution. A PROPER solution is to keep your server updated, patched, and worm free.
Sure everyone should know how to administer their servers without fancy GUI interfaces. But that is not reality. If it was then Cpanel would not have hundreds of thousands of users.

If most noobie end users could keep their servers patched, updated, and worm free -- they really would not need cpanel. But they do. So, attacking CPanel is not really logical.

And yes, Mod Security fills the needs of the overwhelming majority of servers out there. No, it is not the end all be all, but it is a nice useful utility that is EASY to use.

  #14  
Old 08-28-2008, 12:10 PM
brianoz brianoz is offline
Web Hosting Master
 
Join Date: Nov 2004
Location: Australia
Posts: 1,508
linux-tech makes a good point though. If you rely solely on mod_security to protect you, and you have insecure scripts on the server, one day it will bite you. As an example, if you have a hungry lion in a room with a closed door, you're safe. But if someone manages to open the door, they'll get eaten. Better to lock the door AND feed the lion well AND keep the lion in a cage. If someone opens the door by accident then, they'll be OK.

However, I've found mod_security fantastic, and wouldn't do without it. For instance, it's not fun to need to upgrade 30 Joomla 1.5 sites in a hurry because of the token password reset bug. (although in that case a simple locate/cksum could be used to identify existing insecure files and replace; that's not always an available solution though).

  #15  
Old 08-28-2008, 02:03 PM
twhiting9275 twhiting9275 is offline
Just me
 
Join Date: Sep 2002
Location: Among the corn
Posts: 10,423
Quote:
If it was then Cpanel would not have hundreds of thousands of users.
You say that like CPanel is the 'ultimate' systems admin tool. It's not. It's not even anywhere NEAR the top of the chart, because it's NOT intended to keep people 'up to date'.

The primary goal and focus of CPanel is to be a Control Panel, something designed to help people do their job easier (ie: create email, add mysql databases, domains, ftp accounts). It is NOT a 'security' software.

Too many people recently have relied on CPanel to be their 'systems admin', when that's just not the job of CPanel. Oh sure, it's tried so hard to do it, but it CAN NOT, and WILL NOT ever take the place of a qualified systems admin.

Administration is so much more than looking at a pretty front end in your browser. That's ALL Cpanel is, a pretty front end. It does a lot of things for you, but it can not administrate your server for you. YOU must have the skill and the talent to do that yourself.

Reply

Related posts from TheWhir.com
Title Type Date Posted
Average SQL Injection Breach Takes 140 Days to Discover: Ponemon Institute Report Web Hosting News 2014-04-16 12:01:12
Arbor Networks and Google Ideas Help Users Visualize, Explore DDoS Attack Trends Web Hosting News 2013-10-22 10:11:35
FireHost Report Shows SQL Injections Up 69 Percent Over Q1 2012 Web Hosting News 2012-07-24 16:48:13
WHIR TV: Networking Event, Toronto, May 2012 Whir Tv 2013-10-05 06:18:59
WHIR TV: Networking Event, Denver, April 2012 Whir Tv 2013-10-05 06:21:10


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?