Friday, October 9, 2009

Website Protection Against iFrame Injections

If you have had an iframe injection attack, it is critical that you perform a thorough cleaning of your PC and any other PC that can FTP to your website. The hackers may be attacking your website via a virus that they may have downloaded to your computer without you realizing it. Even though you change passwords, and remove the iframes, you may still be vulnerable to iframe injections.

The virus will take your new passwords and make them available to the hacker. First, it knows the files and default locations of various FTP software, FileZilla, WS_FTP and many, many others. When users tell their software to save their logon credentials, it saves this information in a file on the computer. Then when you want to send an update to your website, the login information is already there.

The virus looks for these files, opens them, reads the information and then sends it to a server where it's used to login to the website with valid credentials. There's no need to "crack" the password, which is why strong passwords aren't a defense in this case.
Second, the virus may install a keyboard logger. With everyone telling people not to save their FTP username and passwords, hackers started installing keyboard loggers for those who type their passwords in each time. Again, the stolen information is sent to a server that infects the web site.

Third, the virus "sniffs" the FTP traffic leaving the PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see the username and password, capture it, and send it to a server.

Fourth, the virus will inject the malscript (the infectious iframe) into the FTP data stream as it leaves the user's PC. This variant is sneaky in that the website logs will show that FTP traffic originated from a valid source, with valid FTP credentials.

Depending on the virus on your computer, you may have to install a new anti-virus program. The virus may know how to evade detection of the current anti-virus. It doesn't matter what's being usedcurrently, you may have to install something different.

Once you believe you have removed the iframe injections from your web pages, perform a complete virus scan of your PC before you start to change passwords. This will at least ensure that any new passwords will not be available to the hacker if the virus has been removed.

Use iframe scan tools on a daily basis to check for iframe injection attacks. You can find out more information on the scan tools and how to remove iframe injections by visiting:

Then, should you have iframe injection again, it probably may not be the result of a faulty script or weak FTP passwords, but the result of a virus on your PC with FTP access to the infected website. You need to remove this virus before creating new passwords.

You can use the following protection methods:
1) Scan and thoroughly clean your PC
2) Change all your FTP passwords
3) Change your hosting and database passwords
4) Check all files for this iframe injection, not just index pages. It could be everywhere you have *body* tag. Use the iframe scan tools daily
5) Check all your .htaccess files, you might find one in every folder, created by this virus. Make sure it is your .htaccess file and has not been modified.
6) Check your web page CHMOD file permissions

When you have fixed your iframe problems, you shouldn't think of it as "I installed security, I'm good now" but rather use it as a way to tightening up the server. You should do that because even the latest software might have some holes in it which can be used.

No comments:

Post a Comment