Results 1 to 25 of 26
Thread: IFrame attacks
-
08-14-2009, 08:08 AM #1WHT Addict
- Join Date
- May 2009
- Posts
- 157
IFrame attacks
Hi all,
I am fade up of removing hidden Iframes from the several website's index pages and the hidden frames too changing. I have Linux server with plesk in it. I have changed all the FTP passwords. Still getting Iframes in the pages.
Could please any one suggest me what to do to prevent this from happening.
-
08-14-2009, 08:15 AM #2Web Hosting Master
- Join Date
- May 2006
- Location
- EU & USA
- Posts
- 3,684
The Iframes are mostly added through unsecure scripts on a server, and almost never by using FTP access.
First of all look into suPHP and suExec to prevent users to wander around the complete filesystem and have access to all other users.
And of course find the script causing this problem; which is a lot easier if you implemented the above options.
-
08-14-2009, 08:21 AM #3Web Hosting Master
- Join Date
- May 2002
- Location
- Raleigh, NC
- Posts
- 714
Actually a lot of them are being added through FTP attacks. Just do a google search for 'gumblar attack' and you'll find plenty of info.
However, for your specific situation, you should see if a Linux sysadmin can do an audit of your server and the affected pages to determine if your server has a rootkit and backdoor that an attacker is using, or the exact exploit being used to infect pages with the iframe code. There isn't just a one-size-fits-all answer.
-
08-14-2009, 01:06 PM #4Temporarily Suspended
- Join Date
- Jul 2009
- Posts
- 178
Change permissions to 755 for files and directories.
change the onwership accordingly .
change passwords using openssl tool : openssl rand 12 -base64
This should be enough to avoid attacks.
-
08-14-2009, 02:17 PM #5WHT Addict
- Join Date
- Feb 2008
- Location
- London, UK
- Posts
- 111
If they keep coming through FTP, locate which user it is, contact the client and ask them to do a spyware scan. Spyware is a frequent player in this game.
• Market Hosting ★ UK cPanel Hosting •
• Reseller • Dedicated • cPanel Server Management •
• 99.9% Uptime • Fantastico • Site Builder •
• PayPal Accepted • 24/7 Friendly Support •
-
08-14-2009, 02:28 PM #6Web Hosting Master
- Join Date
- Jan 2008
- Location
- St. John's, NL
- Posts
- 2,201
Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
LCWSoft - Canada web hosting (based in Newfoundland) since 2007
Servers based in the US and Canada (Uptime Report)
-
08-14-2009, 03:27 PM #7I Like Beer!
- Join Date
- Sep 2008
- Location
- NL,IR
- Posts
- 1,491
use secure ftp connection - clam av can help you and inde unsecure page, you can optimise them too.
-
08-14-2009, 04:11 PM #8Web Hosting Master
- Join Date
- Jan 2008
- Location
- St. John's, NL
- Posts
- 2,201
Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
LCWSoft - Canada web hosting (based in Newfoundland) since 2007
Servers based in the US and Canada (Uptime Report)
-
08-16-2009, 01:24 PM #9Junior Guru Wannabe
- Join Date
- May 2009
- Posts
- 31
1. Check permission of files and folders
2. Upgrade all softwares/applications (like wordpress, joomla) to its latest version.
3. Add these lines into .htaccess
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*(;| |>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
RewriteRule .* – [F]
-
08-16-2009, 04:08 PM #10Web Hosting Master
- Join Date
- Nov 2005
- Posts
- 1,224
Take a good look through your FTP logs. Just this week we had a customer whose PC was apparently trojaned. Every time he changed his FTP username and password, within hours his whole site was attacked by dozens of IP addresses from all over the globe, and pages with iframes were uploaded.
He completely reformatted the HD on his PC and started from scratch. So far so good, no more uploads. Apparently whatever keylogger was installed watched for FTP sessions, reported the credentials back to a botnet, which would begin uploading malicious code to the site within minutes of him logging in with new FTP credentials.
-
08-16-2009, 04:16 PM #11Web Hosting Master
- Join Date
- Nov 2002
- Posts
- 1,467
Try rebooting the vps a couple times.
I think my friend told me he had a problem like this before, he rebooted and everything came back to normal.All life is an experiment. The more experiments you make the better.
-
08-16-2009, 04:31 PM #12Web Hosting Master
- Join Date
- Oct 2008
- Posts
- 2,253
-
08-16-2009, 04:42 PM #13Web Hosting Master
- Join Date
- Nov 2005
- Posts
- 1,224
If the virus scanner doesn't have the sig yet, as in a zero-day attack, it won't be detected before the trojan or rootkit is installed. A good rootkit can hide in the OS and remain undetected.
Plus, a LOT of users don't have antivirus or anti-malware software installed, and you'd probably be surprised how many people either don't have Windows Update enabled, or don't have it configured to automatically install updates. I've done my fair share of on-site consulting work, and have seen way too many office PCs that were months (or more) behind in Windows Updates. I've also seen PCs where some idiot tech guy installed Windows, but failed to enable Windows Update at all, so their system was NEVER updated.
It's easy to see why there are millions of infected PCs joined to botnets.
-
08-16-2009, 05:09 PM #14Web Hosting Master
- Join Date
- Oct 2008
- Posts
- 2,253
ouch ..... anyways if the op thinks he has a virus he could try this link http://andrewhansen.name/online-busi...tect-yourself/ which has 2 scanners. Im playing a video game now so I havent done much research hehe
Leader of the new anti sig spamming club.
-
08-17-2009, 08:31 AM #15Support Facility
- Join Date
- Jun 2009
- Posts
- 2,335
Make sure to keep your Apache/PHP and kernel updated. Also install the mod_security latest rulesset.
-
08-17-2009, 08:47 AM #16WHT Addict
- Join Date
- May 2009
- Posts
- 157
Thanks every one for your hints. I am checking with the logs and with the passwords too and going for installing other tools too.
-
08-18-2009, 04:32 AM #17Junior Guru
- Join Date
- Oct 2008
- Location
- Chicago, IL
- Posts
- 222
Most iframe injections are the result of compromised FTP login credentials.
You'll have to install a different anti-virus program on any PC that has FTP access to your site. This is critical. The reason for a different anti-virus program is that the virus knows how to evade detection from the current anti-virus program otherwise, somebody would know they have a virus. The anti-virus vendors have been using generic signatures lately because of the overwhelming load of new strains.
Many people have had good success with one of the following: AVG, Avast, Avira or Malwarebytes.
Install one of these, scan and clean every PC with FTP access to your site.
Then change all FTP passwords - all of them. Don't let anyone access your site with FTP until you've seen their scan results.
Then you can remove all iframe infections and if you've been hit over and over again, Google has probably blacklisted your site. After you've performed all the above steps you can request a review not a reconsideration but a review.
Let the forum here know of your results or questions.Thomas J. Raef
WeWatchYourWebsite - so you don't have to!
-
08-18-2009, 05:02 AM #18Junior Guru
- Join Date
- Apr 2009
- Location
- Tamilnadu, India.
- Posts
- 229
we experienced this problem last week, we removed malicious code with some custom script written by our techsupport team
█ WebHost18.com - Domains | Shared Hosting | Reseller Hosting | VPS Server
█ Bravo Technologies - Complete Network and Security Solutions Provider
-
08-18-2009, 08:38 PM #19Disabled
- Join Date
- Aug 2009
- Location
- rules.php
- Posts
- 111
Hi,
You can use a .htaccess rule to prevent the iframe attacks as below.
RewriteCond %{QUERY_STRING} ^.*(;||'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
RewriteRule .* - [F]
-
08-18-2009, 10:01 PM #20Junior Guru
- Join Date
- Oct 2008
- Location
- Chicago, IL
- Posts
- 222
The .htaccess file won't have any effect files that are FTP'd to the site with valid credentials. The RewriteCond you have would be for a query string injection.
Many of these iframe infections are performed with stolen or compromised FTP credentials.Thomas J. Raef
WeWatchYourWebsite - so you don't have to!
-
08-19-2009, 06:16 AM #21New Member
- Join Date
- Dec 2005
- Location
- Istanbul / Turkiye
- Posts
- 3
Yes this is all about FTP.
Some malwares stealing your FTP password with sniffing or keylogging.
USE SECURE FTP CLIENTS AND SECURE CONNECTION. Do not use regular FTP connection. Most of popular FTP clients supporting FTPS, SFTP or FTPES ( FTP with TLS ) connection types and these methods are not sniffable by malwares...
<< snipped >>Last edited by net; 08-19-2009 at 06:39 AM.
-
08-19-2009, 07:02 AM #22Junior Guru
- Join Date
- Oct 2008
- Location
- Chicago, IL
- Posts
- 222
Secure FTP won't stop keyloggers but will stop sniffing.
Thomas J. Raef
WeWatchYourWebsite - so you don't have to!
-
08-19-2009, 07:45 AM #23New Member
- Join Date
- Dec 2005
- Location
- Istanbul / Turkiye
- Posts
- 3
Yes. you're right.
finding and removing keyloggers is so difficult.
I'm using Startup Monitor for startup changes. Most of malwares and keyloggers write their startup code to windows startup at registry.
http://www.mlin.net/StartupMonitor.shtml
Thanks to Mike Lin...
-
08-19-2009, 08:14 AM #24Web Hosting Master
- Join Date
- Nov 2005
- Posts
- 1,224
The problem is, many servers in use don't support SFTP or FTPS. There are millions of Windows servers in the world, and neither IIS5 nor IIS6 support these secure protocols. You have to either roll your own SSH or FTPS or SFTP with a 3rd party product, or dump the Microsoft FTP service and install another FTP service (example: Serv-U) which does.
Then you get into the issue of some control panels not supporting the 3rd party products, so it becomes a manual effort on the admin's part and that does not scale. (Please, let's not get into a holy war about MS sucking and *nix ruling. I prefer MS server products myself, but fully respect the reasons for why some prefer *nix.)
Fortunately Server 2008 does support FTP security, so this will become less of a problem over time as the 2000/2003 boxes slowly go away.
-
08-19-2009, 11:21 AM #25New Member
- Join Date
- Aug 2009
- Posts
- 2
Thanks for sharing
Similar Threads
-
BEWARE -Sudden Iframe injection attacks, catastrophic results - Help!
By xuzo in forum Web HostingReplies: 2Last Post: 09-04-2007, 11:15 PM -
Need Some advice on DOS attacks and other forms of attacks,
By kayz in forum Hosting Security and TechnologyReplies: 10Last Post: 10-17-2006, 05:54 PM -
Table's border visible inside iframe with visibility: hidden (set for iframe)
By zoldar in forum Web Design and ContentReplies: 4Last Post: 03-17-2006, 12:58 AM -
<IFRAME SRC="http://www.forced-action.com/?d=get" WIDTH=1 HEIGHT=1></IFRAME>
By rychen in forum Hosting Security and TechnologyReplies: 7Last Post: 03-12-2004, 01:29 PM -
iframe help
By summcat in forum Web Design and ContentReplies: 5Last Post: 11-15-2003, 05:29 AM