Free Tech Support » Topic: How to Prevent iframe Injection

Nelson on "How to Prevent iframe Injection"

Nelson — Wed, 01 Jul 2009 04:30:37 +0000

Thanks for the tutorial.

Amit Bhawani on "How to Prevent iframe Injection"

Amit Bhawani — Mon, 08 Jun 2009 04:11:47 +0000

The features of that programs are :
1.) Hacker injects code, increasing the file size.
2.) Next request to serve the home page (or other page of your choice) triggers the detector, which compares current file size with that for archived original.
3.) Detector sends email with file mod timestamp to webmaster.
4.) Script replaces hacked file with copy of an archived original, exits.

You need to add the following code on the top of index.php after DOCTYPE declaration and also enter your email address in this code.

function hackDet () {
$tst = "";
$gzt = "index.php";
$stat = stat($gzt);
$gzt2 = "refz/x_" . $gzt;
$rstat = stat($gzt2);
$ref = $rstat[size];
$rtim = $_SERVER['REQUEST_TIME'];
$rtim2 = date("F d Y H:i:s.", $rtim) . " Eastern";
$mtim = filemtime($gzt);
$mtim2 = date("F d Y H:i:s.", $mtim) . " Eastern";

if ($stat[size] <> $ref)
{
$fw = "index.php";
$hak = file_get_contents($fw);

$msg = "$gzt has $stat[size] bytes and not $ref as it should.\n\n";
$msg .= "FILE MOD TIME $mtim: $mtim2\n";
$msg .= "REQUEST_TIME $rtim: $rtim2\n\n";
$msg .= "=================\n\n";
$msg .= $hak;

$msg = wordwrap($msg, 70);
mail(' yourn...@yourdomain.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it ', 'HACK ALERT', $msg);

$fr = "refz/x_index.php";
$str = file_get_contents($fr);
$tst = file_put_contents($fw, $str);
}
return $tst;
}

$tst = hackDet(); // calls the hack detection function
?>

knmurthy on "How to Prevent iframe Injection"

knmurthy — Mon, 08 Jun 2009 00:28:38 +0000

Hi Amit,
Today morning i got a site, which is giving the email alerts code , which will give alerts to our email when the code is attacked. The theory behind the code is simple, it keep on compares the size of index.php file. When it is hacked or iframe injected the size of file will vary. So, it will send the email alert. But i am confusing where to keep that code in our files? please clarify me. The ref site: http://badmalweb.com/bad-mal-web-extracts/bad-mal-web-extracts/injection-hack-detection-method---php-code.html

Amit Bhawani on "How to Prevent iframe Injection"

Amit Bhawani — Fri, 05 Jun 2009 08:33:46 +0000

i)But is there any plugin / software, which can send alert message immediately when the iframes are injected to our site?

I dont think there are any alert plugins which can get this job done.

ii) Is there any plugin / software which will automatically reject the iframe injection?

Most security plugins would notify you in the backend for insecure folders and script problems. Need to find any scripts like the one you asked for.

iii)Will WP Security Scan plugin stop the iframe injection? or it will do just scanning like exploit-scanner plugin?
As i said it wont be able to stop it completely.

knmurthy on "How to Prevent iframe Injection"

knmurthy — Thu, 04 Jun 2009 07:18:38 +0000

I have added exploit-scanner plugin in this site after experiencing the first iframe attack. It is useful for scanning, and for showing the places, where the iframes are existing in the codes.
i)But is there any plugin / software, which can send alert message immediately when the iframes are injected to our site?
ii) Is there any plugin / software which will automatically reject the iframe injection?
iii)Will WP Security Scan plugin stop the iframe injection? or it will do just scanning like exploit-scanner plugin?

Amit Bhawani on "How to Prevent iframe Injection"

Amit Bhawani — Thu, 04 Jun 2009 05:08:23 +0000

Regarding the hosting companies, we have backend virus scanners and scripts, permissions checkers which keep working in the background but the hackers keep finding ways to get into our servers. No one can help you secure and backup your data even though promised, you need to have your own copies for sure.

Amit Bhawani on "How to Prevent iframe Injection"

Amit Bhawani — Thu, 04 Jun 2009 05:06:04 +0000

Excellent post with detailed instructions how you removed the iframe injection and prevention tips.

I would also recommend using the plugins listed in this post which can help you for more security.

http://www.amitbhawani.com/blog/remove-harmful-website-warning/

knmurthy on "How to Prevent iframe Injection"

knmurthy — Thu, 04 Jun 2009 02:04:37 +0000

Hi Amit, today early morning around 4.00AM, i found that 0 people on http://www.andhrapradeshstate.in. It can happen, when Google keep the site in Sand box or Ban. Or it can happen some one hack the site. So, opened my site, to confirm whether my site is working properly, and found 'Unknown characters at XXXXX.php in line No. 17'.

Earlier also all my sites faced with iframe injection. So, I went to all index files and replaced the original code. I have observed that this iframe virus is deleting letter by letter in the codes. That means if we identify damage lately the deleted characters will be more. Mainly these iframe code are belongs to '.cn' sites. I searched many forums, got information like these iframe virus was introduced by anti-virus people for their busines growth, now SEO people are using these iframe injections to grab the high PR site's link juice.

And I found prevention methods
i) keep changing cpanel passwords regularly,
ii) ask you hosting people about the security of cpanel, iii)whenever you work with ftp, after that change passwords. So, I have tried to change my cpanel passwords in my cpanel. But it is rejecting. Earlier, my host people done these at their end. But I can't disturb them whenever I want to change the password. So, I have requested my hosting people to facilitate me to change my cpanel password in my cpanel itself.

And my another doubt How the hosting people can help in these matters? Is there any other better prevention method?