Results 1 to 26 of 26

Thread: IFrame attacks

  1. #1

    IFrame attacks

    Hi all,

    I am fade up of removing hidden Iframes from the several website's index pages and the hidden frames too changing. I have Linux server with plesk in it. I have changed all the FTP passwords. Still getting Iframes in the pages.

    Could please any one suggest me what to do to prevent this from happening.

  2. #2
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    The Iframes are mostly added through unsecure scripts on a server, and almost never by using FTP access.

    First of all look into suPHP and suExec to prevent users to wander around the complete filesystem and have access to all other users.

    And of course find the script causing this problem; which is a lot easier if you implemented the above options.

  3. #3
    Join Date
    May 2002
    Location
    Raleigh, NC
    Posts
    699
    Actually a lot of them are being added through FTP attacks. Just do a google search for 'gumblar attack' and you'll find plenty of info.

    However, for your specific situation, you should see if a Linux sysadmin can do an audit of your server and the affected pages to determine if your server has a rootkit and backdoor that an attacker is using, or the exact exploit being used to infect pages with the iframe code. There isn't just a one-size-fits-all answer.
    Tranquil Hosting

  4. #4
    Join Date
    Jul 2009
    Posts
    178
    Change permissions to 755 for files and directories.

    change the onwership accordingly .

    change passwords using openssl tool : openssl rand 12 -base64


    This should be enough to avoid attacks.

  5. #5
    Join Date
    Feb 2008
    Location
    London, UK
    Posts
    111
    If they keep coming through FTP, locate which user it is, contact the client and ask them to do a spyware scan. Spyware is a frequent player in this game.
    Market Hosting ★ UK cPanel Hosting
    Reseller Dedicated cPanel Server Management
    99.9% Uptime Fantastico Site Builder
    PayPal Accepted 24/7 Friendly Support

  6. #6
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    Quote Originally Posted by MarketHosting View Post
    If they keep coming through FTP, locate which user it is, contact the client and ask them to do a spyware scan. Spyware is a frequent player in this game.
    That is good advice, although I would add that you should change their FTP password first.
    Cpanel/WHM PHP Perl Ruby Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  7. #7
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,283
    use secure ftp connection - clam av can help you and inde unsecure page, you can optimise them too.

  8. #8
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    Quote Originally Posted by nimafire View Post
    use secure ftp connection - clam av can help you and inde unsecure page, you can optimise them too.
    I know ClamAV can pick up viruses and trojans attached to uploaded files, but I don't know if it can pick up on an file containing an iframe attack.
    Cpanel/WHM PHP Perl Ruby Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  9. #9
    Join Date
    May 2009
    Posts
    31
    1. Check permission of files and folders
    2. Upgrade all softwares/applications (like wordpress, joomla) to its latest version.
    3. Add these lines into .htaccess

    RewriteEngine On

    RewriteCond %{QUERY_STRING} ^.*(;| |>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
    RewriteRule .* – [F]

  10. #10
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by sysgallery View Post
    I have changed all the FTP passwords. Still getting Iframes in the pages.
    Take a good look through your FTP logs. Just this week we had a customer whose PC was apparently trojaned. Every time he changed his FTP username and password, within hours his whole site was attacked by dozens of IP addresses from all over the globe, and pages with iframes were uploaded.

    He completely reformatted the HD on his PC and started from scratch. So far so good, no more uploads. Apparently whatever keylogger was installed watched for FTP sessions, reported the credentials back to a botnet, which would begin uploading malicious code to the site within minutes of him logging in with new FTP credentials.

  11. #11
    Join Date
    Nov 2002
    Posts
    1,468
    Try rebooting the vps a couple times.

    I think my friend told me he had a problem like this before, he rebooted and everything came back to normal.
    All life is an experiment. The more experiments you make the better.

  12. #12
    Join Date
    Oct 2008
    Posts
    2,249
    Quote Originally Posted by Sekweta View Post
    Take a good look through your FTP logs. Just this week we had a customer whose PC was apparently trojaned. Every time he changed his FTP username and password, within hours his whole site was attacked by dozens of IP addresses from all over the globe, and pages with iframes were uploaded.

    He completely reformatted the HD on his PC and started from scratch. So far so good, no more uploads. Apparently whatever keylogger was installed watched for FTP sessions, reported the credentials back to a botnet, which would begin uploading malicious code to the site within minutes of him logging in with new FTP credentials.
    Yep a reformat or virus scans may work.... How do people even get these viruses anyways most virus scanners fix them.
    Leader of the new anti sig spamming club.

  13. #13
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by darkeden View Post
    Yep a reformat or virus scans may work.... How do people even get these viruses anyways most virus scanners fix them.
    If the virus scanner doesn't have the sig yet, as in a zero-day attack, it won't be detected before the trojan or rootkit is installed. A good rootkit can hide in the OS and remain undetected.

    Plus, a LOT of users don't have antivirus or anti-malware software installed, and you'd probably be surprised how many people either don't have Windows Update enabled, or don't have it configured to automatically install updates. I've done my fair share of on-site consulting work, and have seen way too many office PCs that were months (or more) behind in Windows Updates. I've also seen PCs where some idiot tech guy installed Windows, but failed to enable Windows Update at all, so their system was NEVER updated.

    It's easy to see why there are millions of infected PCs joined to botnets.

  14. #14
    Join Date
    Oct 2008
    Posts
    2,249
    Quote Originally Posted by Sekweta View Post
    If the virus scanner doesn't have the sig yet, as in a zero-day attack, it won't be detected before the trojan or rootkit is installed. A good rootkit can hide in the OS and remain undetected.

    Plus, a LOT of users don't have antivirus or anti-malware software installed, and you'd probably be surprised how many people either don't have Windows Update enabled, or don't have it configured to automatically install updates. I've done my fair share of on-site consulting work, and have seen way too many office PCs that were months (or more) behind in Windows Updates. I've also seen PCs where some idiot tech guy installed Windows, but failed to enable Windows Update at all, so their system was NEVER updated.

    It's easy to see why there are millions of infected PCs joined to botnets.
    ouch ..... anyways if the op thinks he has a virus he could try this link http://andrewhansen.name/online-busi...tect-yourself/ which has 2 scanners. Im playing a video game now so I havent done much research hehe
    Leader of the new anti sig spamming club.

  15. #15
    Make sure to keep your Apache/PHP and kernel updated. Also install the mod_security latest rulesset.
    Support Facility | 24/7 web hosting technical support services
    Technical support | Server management | Data migration

    Technical Articles

  16. #16
    Thanks every one for your hints. I am checking with the logs and with the passwords too and going for installing other tools too.

  17. #17
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190
    Most iframe injections are the result of compromised FTP login credentials.

    You'll have to install a different anti-virus program on any PC that has FTP access to your site. This is critical. The reason for a different anti-virus program is that the virus knows how to evade detection from the current anti-virus program otherwise, somebody would know they have a virus. The anti-virus vendors have been using generic signatures lately because of the overwhelming load of new strains.

    Many people have had good success with one of the following: AVG, Avast, Avira or Malwarebytes.

    Install one of these, scan and clean every PC with FTP access to your site.

    Then change all FTP passwords - all of them. Don't let anyone access your site with FTP until you've seen their scan results.

    Then you can remove all iframe infections and if you've been hit over and over again, Google has probably blacklisted your site. After you've performed all the above steps you can request a review not a reconsideration but a review.

    Let the forum here know of your results or questions.

  18. #18
    Join Date
    Apr 2009
    Location
    Tamilnadu, India.
    Posts
    227
    we experienced this problem last week, we removed malicious code with some custom script written by our techsupport team
    WebHost18.com - Domains | Shared Hosting | Reseller Hosting | VPS Server
    Bravo Technologies - Complete Network and Security Solutions Provider

  19. #19
    Join Date
    Aug 2009
    Location
    rules.php
    Posts
    110
    Hi,

    You can use a .htaccess rule to prevent the iframe attacks as below.

    RewriteCond %{QUERY_STRING} ^.*(;||'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
    RewriteRule .* - [F]

  20. #20
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190
    The .htaccess file won't have any effect files that are FTP'd to the site with valid credentials. The RewriteCond you have would be for a query string injection.

    Many of these iframe infections are performed with stolen or compromised FTP credentials.

  21. #21
    Join Date
    Dec 2005
    Location
    Istanbul / Turkiye
    Posts
    3
    Quote Originally Posted by WeWatch View Post
    The .htaccess file won't have any effect files that are FTP'd to the site with valid credentials. The RewriteCond you have would be for a query string injection.

    Many of these iframe infections are performed with stolen or compromised FTP credentials.
    Yes this is all about FTP.

    Some malwares stealing your FTP password with sniffing or keylogging.
    USE SECURE FTP CLIENTS AND SECURE CONNECTION. Do not use regular FTP connection. Most of popular FTP clients supporting FTPS, SFTP or FTPES ( FTP with TLS ) connection types and these methods are not sniffable by malwares...

    << snipped >>
    Last edited by net; 08-19-2009 at 06:39 AM.

  22. #22
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190
    Secure FTP won't stop keyloggers but will stop sniffing.

  23. #23
    Join Date
    Dec 2005
    Location
    Istanbul / Turkiye
    Posts
    3
    Quote Originally Posted by WeWatch View Post
    Secure FTP won't stop keyloggers but will stop sniffing.
    Yes. you're right.

    finding and removing keyloggers is so difficult.

    I'm using Startup Monitor for startup changes. Most of malwares and keyloggers write their startup code to windows startup at registry.

    http://www.mlin.net/StartupMonitor.shtml

    Thanks to Mike Lin...

  24. #24
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by hidonet View Post
    Most of popular FTP clients supporting FTPS, SFTP or FTPES ( FTP with TLS ) connection types and these methods are not sniffable by malwares...
    The problem is, many servers in use don't support SFTP or FTPS. There are millions of Windows servers in the world, and neither IIS5 nor IIS6 support these secure protocols. You have to either roll your own SSH or FTPS or SFTP with a 3rd party product, or dump the Microsoft FTP service and install another FTP service (example: Serv-U) which does.

    Then you get into the issue of some control panels not supporting the 3rd party products, so it becomes a manual effort on the admin's part and that does not scale. (Please, let's not get into a holy war about MS sucking and *nix ruling. I prefer MS server products myself, but fully respect the reasons for why some prefer *nix.)

    Fortunately Server 2008 does support FTP security, so this will become less of a problem over time as the 2000/2003 boxes slowly go away.

  25. #25
    Thanks for sharing

  26. #26
    I did try the script made by Hidonet and its working like a charm...

    This is the sample :

    Warning !!!

    19.08.2009 15:04:10 Wednesday

    There is a GUMBLAR ATTACK on account xxxxxxx

    Infected file : /home/xxxxxxx/public_html/index.html

    Infection : Trojan.Iframe-9

    Action : /home/xxxxxxx/public_html/index.html: moved to '/karantina/clamav//index.html.002'

    Password might be changed to : ABC56XYZ

    Ret : /home/xxxxxxx/public_html/index.html: Trojan.Iframe-9 FOUND
    /home/xxxxxxx/public_html/index.html: moved to '/karantina/clamav//index.html.002'
    <passwd>
    <passwd>
    <rawout>Changing password for xxxxxxx
    Password for xxxxxxx has been changed
    Updating ftp passwords for xxxxxxx
    Ftp password files updated.
    Ftp vhost passwords synced</rawout>
    <services>
    <app>system</app>
    </services>
    <services>
    <app>ftp</app>
    </services>
    <services>
    <app>mail</app>
    </services>
    <services>
    <app>mySQL</app>
    </services>
    <status>1</status>
    <statusmsg>Password changed for user xxxxxxx
    </statusmsg>
    </passwd>
    </passwd>

    <!-- Web Host Manager (c) cPanel, Inc. 2008 http://cpanel.net/ Unauthorized copying is prohibited. -->

    Process Killed : 6492
    IP Blocked : xx.xxx.xxx.xxx
    IndoUS Hosting Quality IT Services since 2004
    Shared Hosting Reseller Hosting Dedicated Servers Domain Names
    Custom Web Development Mobile Application Development SEO
    Custom E-Commerce Solutions, Sports Portals, Health Care - Health Tourism Portals

Similar Threads

  1. Replies: 2
    Last Post: 09-04-2007, 11:15 PM
  2. Need Some advice on DOS attacks and other forms of attacks,
    By kayz in forum Hosting Security and Technology
    Replies: 10
    Last Post: 10-17-2006, 05:54 PM
  3. Replies: 4
    Last Post: 03-17-2006, 12:58 AM
  4. <IFRAME SRC="http://www.forced-action.com/?d=get" WIDTH=1 HEIGHT=1></IFRAME>
    By rychen in forum Hosting Security and Technology
    Replies: 7
    Last Post: 03-12-2004, 01:29 PM
  5. iframe help
    By summcat in forum Web Design and Content
    Replies: 5
    Last Post: 11-15-2003, 05:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •