The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod security iframe protection

Discussion in 'Security' started by dfoxx, May 3, 2013.

  1. dfoxx

    dfoxx Member

    Joined:
    Feb 1, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Is there a way to protect against iframe hacks.
    Because i notice that iframe hacks most of the time are included after the
    Code:
    </html>
    or
    Code:
    </body> 
    tag, can that iframes be forbidden ?
    Or is it possible to forbid all iframes with a width and heigth of 0 ?

    I aready have the rules from Atomicorp, can you please post the correct mod-security rules

    Or what is your advice ?

    Best Regards
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Blocking the iframes themselves would probably require output filtering with modsec, unfortunately most rules I deal with are for preventing inbound requests not data output. It could probably be done, but it's not the best solution for your problem in my opinion.

    You need to determine how the iframes are being added to the files. Trying to prevent them from being served is a moot point, since if they are there, your account is probably compromised. Check your FTP logs, and check the apache domlogs for the time stamps when the files with bad iframes were last modified. I find most iframes are added with FTP logins that are compromised, so this is obvious in /var/log/messages. However, occasionally they're added with PHP shells; if it's done with PHP shells you need the apache access logs.

    If your domlogs (apache access logs) are being deleted every day (Which is default) you should disable that in WHM under tweak settings > stats and logs. Shut off "delete each sites access logs after stats run." Currently that's the only supported way to enable apache access log archiving for all your users, but it kind of sucks because they never rotate and they're not compressed. The other option is to go into each cPanel under "raw access logs" and enable archiving. This is a much better solution, as the logs are compressed and stored in each user account, but VERY time consuming if you have a ton of users. I have written a script which will enable that option (raw access log archiving) for all your users, it is in the comments of this feature request:

    Better Apache Log Rotation | cPanel Feature Requests
     
  3. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    We use CXS and its catches every issue we've encountered with regards to iframe or code injection. It's just another layer of the onion...

    ConfigServer eXploit Scanner (cxs)
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    One of the sweeter layers I might add. :)
     
Loading...

Share This Page