HTTP:Iframe Infection Fix

[grniyce]

There is a new onslaught of attacks again using the HTTP:Iframe injection method. I found one of the tools and you can see below how easily people are able to perform this method of attack to servers that do not have at least the default mod security rules applied to their server.

If you find yourself or a client on your server in a situation where this attack has infiltrated their space, 99% of the time the injection is performed on htm / html files. Although the bash script below is not guaranteed to work 100% of the time, it should work fine to remove all of the files you specify within the script.

For example: In the case that the below script was used, the client had a vBulletin board and did not need any html / htm files within his directory. They were all php files, so by removing all of the htm / html files it resolved the infection. Following removal their cPanel and all FTP passwords were changed.

find /home/username -type f -name \*.htm\* -ls -exec rm -vf {} \;

If you don't know what you are doing, please ask a question and someone will reply within this thread. Don't go deleting a whole bunch of files and then complain later. Make sure you know what needs to be done if the above scenario does not apply to you.

 

[grniyce]

Follow Up: ClamAV will remove the infection, but it will not prevent it, so users should make sure to scan their home dir occasionally.

 

[grniyce]

Scan the home directories and throw the results in an output file.

for i in `awk `!/nobody/{print $2}' /etc/userdomains | sort | uniq`; do; /usr/bin/clamscan -i -r /home/$i; done; >> /root/infection

Now this is better to run in screen as on larger systems the scan can continue even after you have logged out. The user can simply check /root/infection for the results.

Note:
the "-i" switch for clamscan simply says to print results of infected files only the "-r" switch for clamscan simply says to scan recursively.

The results will look similar to the following:

/home/ahazygc/public_html/vb/cpstyles/vBulletin_MS_Sans/index.html:
HTML.Iframe-32 FOUND

etc...

You can use these switches to remove, move, or copy the infected files;

--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY

 

[anewday]

What's the mod_security 1.x rule to prevent this?

 

[grniyce]

Please see this link for the rule definition(s). You can either include the rule manually by editing the lines in your default rules, or add the files to an existing custom rules directory.

http://www.gotroot.com/tiki-read_article.php?articleId=278

 

[anewday]

It doesn't tell the rules on that link above.

 

[grniyce]

I am creating a new thread with the exact steps to apply the default mod_security and ASL mod_security rules effectively to probably 90% of the servers that exist, and I will then post that redirected link here in about 15 minutes.

 

[grniyce]

To learn more about mod_security rules, including the HTML:IFRAME DOS INJECTION filtering and automatic removal go here:

http://www.litespeedtech.com/support/forum/showthread.php?p=15707#post15707

 

[anewday]

Thanks, I just need the rule to protect iframe. I couldn't find it in the zip file. Could you paste it here?

 

[grniyce]

SecRule REQUEST_BODY|ARGS "< ?font style ?= ?(position ?\: ?absolute|overflow ?\: ?(?:hidden|auto)).*(?:height|width) ?(?:=|\:) ?[0-9] ?(px|\;)" \
        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:300056,rev:1,severity:2,msg:'Spam: Hidden Text Exploit'"