How to Prevent iframe Injection « Free Tech Support

Free Tech Support » Tech Support

How to Prevent iframe Injection

(8 posts) (3 voices)

Started 5 months ago by knmurthy
Latest reply from Nelson
This topic is not a support question

Tags:

security

knmurthy

senior member
Joined: Jan '09
Posts: 53

Hi Amit, today early morning around 4.00AM, i found that 0 people on http://www.andhrapradeshstate.in. It can happen, when Google keep the site in Sand box or Ban. Or it can happen some one hack the site. So, opened my site, to confirm whether my site is working properly, and found 'Unknown characters at XXXXX.php in line No. 17'.

Earlier also all my sites faced with iframe injection. So, I went to all index files and replaced the original code. I have observed that this iframe virus is deleting letter by letter in the codes. That means if we identify damage lately the deleted characters will be more. Mainly these iframe code are belongs to '.cn' sites. I searched many forums, got information like these iframe virus was introduced by anti-virus people for their busines growth, now SEO people are using these iframe injections to grab the high PR site's link juice.

And I found prevention methods
i) keep changing cpanel passwords regularly,
ii) ask you hosting people about the security of cpanel, iii)whenever you work with ftp, after that change passwords. So, I have tried to change my cpanel passwords in my cpanel. But it is rejecting. Earlier, my host people done these at their end. But I can't disturb them whenever I want to change the password. So, I have requested my hosting people to facilitate me to change my cpanel password in my cpanel itself.

And my another doubt How the hosting people can help in these matters? Is there any other better prevention method?

Posted 5 months ago #
admin

Amit Bhawani
Joined: Jan '09
Posts: 250

Excellent post with detailed instructions how you removed the iframe injection and prevention tips.

I would also recommend using the plugins listed in this post which can help you for more security.

http://www.amitbhawani.com/blog/remove-harmful-website-warning/

Posted 5 months ago #
admin

Amit Bhawani
Joined: Jan '09
Posts: 250

Regarding the hosting companies, we have backend virus scanners and scripts, permissions checkers which keep working in the background but the hackers keep finding ways to get into our servers. No one can help you secure and backup your data even though promised, you need to have your own copies for sure.

Posted 5 months ago #
knmurthy

senior member
Joined: Jan '09
Posts: 53

I have added exploit-scanner plugin in this site after experiencing the first iframe attack. It is useful for scanning, and for showing the places, where the iframes are existing in the codes.
i)But is there any plugin / software, which can send alert message immediately when the iframes are injected to our site?
ii) Is there any plugin / software which will automatically reject the iframe injection?
iii)Will WP Security Scan plugin stop the iframe injection? or it will do just scanning like exploit-scanner plugin?

Posted 5 months ago #
admin

Amit Bhawani
Joined: Jan '09
Posts: 250

i)But is there any plugin / software, which can send alert message immediately when the iframes are injected to our site?

I dont think there are any alert plugins which can get this job done.

ii) Is there any plugin / software which will automatically reject the iframe injection?

Most security plugins would notify you in the backend for insecure folders and script problems. Need to find any scripts like the one you asked for.

iii)Will WP Security Scan plugin stop the iframe injection? or it will do just scanning like exploit-scanner plugin?
As i said it wont be able to stop it completely.

Posted 5 months ago #
knmurthy

senior member
Joined: Jan '09
Posts: 53

Hi Amit,
Today morning i got a site, which is giving the email alerts code , which will give alerts to our email when the code is attacked. The theory behind the code is simple, it keep on compares the size of index.php file. When it is hacked or iframe injected the size of file will vary. So, it will send the email alert. But i am confusing where to keep that code in our files? please clarify me. The ref site: http://badmalweb.com/bad-mal-web-extracts/bad-mal-web-extracts/injection-hack-detection-method---php-code.html

Posted 5 months ago #
admin

Amit Bhawani
Joined: Jan '09
Posts: 250

The features of that programs are :
1.) Hacker injects code, increasing the file size.
2.) Next request to serve the home page (or other page of your choice) triggers the detector, which compares current file size with that for archived original.
3.) Detector sends email with file mod timestamp to webmaster.
4.) Script replaces hacked file with copy of an archived original, exits.

You need to add the following code on the top of index.php after DOCTYPE declaration and also enter your email address in this code.

function hackDet () {
$tst = "";
$gzt = "index.php";
$stat = stat($gzt);
$gzt2 = "refz/x_" . $gzt;
$rstat = stat($gzt2);
$ref = $rstat[size];
$rtim = $_SERVER['REQUEST_TIME'];
$rtim2 = date("F d Y H:i:s.", $rtim) . " Eastern";
$mtim = filemtime($gzt);
$mtim2 = date("F d Y H:i:s.", $mtim) . " Eastern";

if ($stat[size] <> $ref)
{
$fw = "index.php";
$hak = file_get_contents($fw);

$msg = "$gzt has $stat[size] bytes and not $ref as it should.\n\n";
$msg .= "FILE MOD TIME $mtim: $mtim2\n";
$msg .= "REQUEST_TIME $rtim: $rtim2\n\n";
$msg .= "=================\n\n";
$msg .= $hak;

$msg = wordwrap($msg, 70);
mail(' yourn...@yourdomain.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it ', 'HACK ALERT', $msg);

$fr = "refz/x_index.php";
$str = file_get_contents($fr);
$tst = file_put_contents($fw, $str);
}
return $tst;
}

$tst = hackDet(); // calls the hack detection function
?>

Posted 5 months ago #
Nelson

new member
Joined: Jun '09
Posts: 4

Thanks for the tutorial.

Posted 4 months ago #

RSS feed for this topic

Reply

You must log in to post.