tags:

views:

427

answers:

5
+2  Q: 

Iframe Injections in Websites

My website has been compromised. Some one have injected some iframe markup in my website.

How they have done this? Only on my index.html, index.php page. But I have blocked write permissions for this page, then how they able to write in my pages.

Will it effect other pages on my server?

Is there any other solutions to block this?

Thank you

<?php` 
include_once("commonfiles/user_functions.php");
include_once("user_redirect.php"); 
include_once("designs/index.html");
?>

<iframe src='url' width='1' height='1' style='visibility: hidden;'></iframe>

This is my index.php code <iframe> is injected after the php script.

+1  A: 

If the php file itself has been edited to include this iframe and if there truly is no way for another script you are running to write to the file then a user account with access to the file might have been compromised. If there is a user account with access to the file that has a weak password this would be my candidate as the most likely culprit.

They may have used some form of injection on your site to acquire usernames and password hashes and bruteforced those, they might have installed a keylogger on someone's machine who has access, or they may have just brute forced your login directly (assuming you don't have some sort of mechanism in place to prevent this).

First thing I would do is ensure there are no viruses running on anyone's computer who has access to the machine. Then go about changing passwords. And finally review the php scripts of the site for possible points of injection. Trouble spots are pretty much anywhere you're taking in some kind of user input and processing it without first checking to make sure it is safe to process (i.e. failure to strip dangerous characters from a user login form).

marco0009  2009-11-06 05:28:56
Thank youI am using Filezilla FTP for upload, Is there any problem while uploading through that? But not only the dynamic site but Static site also get effected.
RSK  2009-11-06 05:46:48
Unless there's some vulnerability for Filezilla I am not aware of I can't see it being the direct cause of your problem. If you have it configured to store your login credentials it could be an additional source of password theft utilized by someone nefarious. However this would require they do already have access to the machine.
marco0009  2009-11-06 05:50:39
ok I will upload my files through Control panel. I think that will be more secured.
RSK  2009-11-06 05:56:20
+1  A: 

From the comments that have been posted so far it seems almost certain that someone has gained access to a user account with write permissions on the files that are having code injected into them. It sounds like some individual has discovered one or more account passwords and has made it their pastime to occasionally log into your FTP and make some changes. Have you tried changing your passwords? I recommend using a fairly secure password, of at least 15 characters and using a variety of character types including unprintable characters if you are able (use alt/meta keys to enter UTF codepoints on the number pad).

If, after changing your password, you still observe the same problems, then there could be another issue. I would first seriously scrutinize your PHP scripts. Anywhere your scripts accept user input from a form, data stored in a cookie, or other data originating from outside the script itself (and therefore potentially "dirty" data), go over the operations of the script with this data very carefully. If you are using any such potentially dirty data to run an OS command, open/read/write a file, or query a database, then it is possible that the data contain escape characters that will escape your code, allowing an attacker to execute any code they wish within your script.

Keep an eye on your access logs. You mentioned that you remove the injected iframe code from your scripts and it keeps being re-injected, so if you can catch when it happens you can probably find a clue as to the source of the changes in your access logs.

Dustin Fineout  2009-11-06 13:58:06
I have checked the log information, it shows that the time when page was edited, but i can't track the ip. Our website is in godaddy.com. I have to change the password as you mentioned. Thank you
RSK  2009-11-07 08:17:19
The log you are viewing that specifies when a file was edited will not track IP because the file is always edited locally (within the file system). You should compare the timestamp of when the malicious edit occurred with timestamps in your webserver's access logs (if you are running apache, navigate to your apache directory and then open logs/access.log). You might find a pattern with an IP address accessing the page before/after the malicious edits are made.
Dustin Fineout  2009-11-08 16:26:21
Also, please post whether the injections stop now that you've changed your password. Also, make sure you changed ALL your passwords, i.e. login to godaddy, your control panel login if different, any other web interfaces you might use, your FTP account, SSH if you have it, etc.
Dustin Fineout  2009-11-08 16:28:16
Thank you for every one for the replies, I am regularly changing my passwords now after uploading files. Now my site is safe from injections.
RSK  2009-11-13 03:55:19
+1  A: 

Grab yourself UPload Guardian. It will detect iframes in FTP/PHP based uploads in real-time and stop them plus block the attackers IP. The tools is great.

Steve  2009-11-09 15:00:38
+1  A: 

See this thread for more on trying to block iframes.

Jon Hadley  2009-11-11 16:55:44
+2  A: 

Someone with FTP access to your site (you or your developers) has a virus on their workstations. This virus has installed a keylogger that is stealing credentials from your FTP client and sending this information back to the hacker.

The hacker collects hundreds of such credentials and then uses a program to log into each server, download a file, modify it to append an iframe or block of obfuscated JavaScript or PHP, upload the file, download the next file, modify, upload, next, etc. The files downloaded may either match a set of names (such as only index., default., home.* etc) or just any html or PHP file.

The appended code is often either an iframe that is visibility: hidden or of 1x1px size, a <script> sourcing a remote JavaScript file on a dubious domain, a collection of Javascript obfuscated by some clever str.CharCode'ing, or a block of base64_encode'd eval()'d code. Unobfuscating the code, the result is often an iframe. More recently, some clever attackers are inserting remote shells, granting them backdoor access to your server.

Once all the files have been modified, the attacker logs out. Visitors to your site will be subject to malicious code from the domain linked in the iframe with the intention of installing viruses and rootkits. Among other functions, these viruses will install a keylogger to sniff FTP credentials... and the virus continues spreading.

The attacker is using your credentials, so they can only access files that you have access to. Sometimes, they will upload an additional file in certain directories with an encoded shell, allowing them return access to the server (the common ones are _captcha.php in /forums directores and img.php or gifimg.php in /gallery directories). If you host other domains on your server, as long as the user for the affected domain has no access beyond their current domain, others will not be affected.

There are two ways to stop this sort of attack -- prevention and proper antivirus. The attacks can be easily deflected by use of a firewall and limiting FTP access to only a few select IPs. The attackers are not attacking from your own workstation (yet), but rather a server elsewhere in the world. Using proper antivirus on all workstations with access to your FTP account -- or, better yet, not using Windows XP -- will help prevent the original infection from occurring.

If you are infected, it's fairly easy to clean the messes up using a bit of clever sed, depending how good you are at spotting the injection and making effective regexes. Otherwise, backups backups backups -- always have backups! ...Oh, and change your FTP password or they'll be back tomorrow.

Kale Stedman  2009-11-15 17:24:16
Thank you Its is very usefull
RSK  2009-11-16 04:35:23

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?