HTTP:Iframe Infection Fix

Discussion in 'General' started by grniyce, Jun 24, 2009.

  1. grniyce

    grniyce New Member

    There is a new onslaught of attacks again using the HTTP:Iframe injection method. I found one of the tools and you can see below how easily people are able to perform this method of attack to servers that do not have at least the default mod security rules applied to their server.

    [​IMG]

    If you find yourself or a client on your server in a situation where this attack has infiltrated their space, 99% of the time the injection is performed on htm / html files. Although the bash script below is not guaranteed to work 100% of the time, it should work fine to remove all of the files you specify within the script.

    For example: In the case that the below script was used, the client had a vBulletin board and did not need any html / htm files within his directory. They were all php files, so by removing all of the htm / html files it resolved the infection. Following removal their cPanel and all FTP passwords were changed.

    find /home/username -type f -name \*.htm\* -ls -exec rm -vf {} \;

    If you don't know what you are doing, please ask a question and someone will reply within this thread. Don't go deleting a whole bunch of files and then complain later. Make sure you know what needs to be done if the above scenario does not apply to you.
  2. grniyce

    grniyce New Member

    Follow Up: ClamAV will remove the infection, but it will not prevent it, so users should make sure to scan their home dir occasionally.
  3. grniyce

    grniyce New Member

    Scan the home directories and throw the results in an output file.

    for i in `awk `!/nobody/{print $2}' /etc/userdomains | sort | uniq`; do; /usr/bin/clamscan -i -r /home/$i; done; >> /root/infection

    Now this is better to run in screen as on larger systems the scan can continue even after you have logged out. The user can simply check /root/infection for the results.

    Note:
    the "-i" switch for clamscan simply says to print results of infected files only the "-r" switch for clamscan simply says to scan recursively.

    The results will look similar to the following:

    /home/ahazygc/public_html/vb/cpstyles/vBulletin_MS_Sans/index.html:
    HTML.Iframe-32 FOUND

    etc...

    You can use these switches to remove, move, or copy the infected files;

    --remove[=yes/no(*)] Remove infected files. Be careful!
    --move=DIRECTORY Move infected files into DIRECTORY
    --copy=DIRECTORY Copy infected files into DIRECTORY
  4. anewday

    anewday Moderator

    What's the mod_security 1.x rule to prevent this?
  5. grniyce

    grniyce New Member

  6. anewday

    anewday Moderator

    It doesn't tell the rules on that link above.
  7. grniyce

    grniyce New Member

    I am creating a new thread with the exact steps to apply the default mod_security and ASL mod_security rules effectively to probably 90% of the servers that exist, and I will then post that redirected link here in about 15 minutes.
  8. grniyce

    grniyce New Member

  9. anewday

    anewday Moderator

    Thanks, I just need the rule to protect iframe. I couldn't find it in the zip file. Could you paste it here? :)
  10. grniyce

    grniyce New Member

    Code:
    SecRule REQUEST_BODY|ARGS "< ?font style ?= ?(position ?\: ?absolute|overflow ?\: ?(?:hidden|auto)).*(?:height|width) ?(?:=|\:) ?[0-9] ?(px|\;)" \
            "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:300056,rev:1,severity:2,msg:'Spam: Hidden Text Exploit'"
    

Share This Page