SitePoint Sponsor

User Tag List

Results 1 to 23 of 23
  1. #1
    SitePoint Member
    Join Date
    Jul 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry FTP Iframe Injection Attacks

    For months I have been fighting off an “iframe injection attack”. I suspect the attack itself is done by some form of automated FTP process, because it is always the same 7 pages (including index.html) into which the malware is injected and seems to occur approximately once a week. The FTP logs show that the attack login always comes from an IP address in the range 69.200.0.0 – 69.207.255.255 owned by Road Runner HoldCo LLC, 13241 Woodland Park Road, Herndon, VA 20171 USA. I do not currently live in the US, have not been back to the US for over 5 years and have not visited the US eastern seaboard in over 10 years. Therefore, it is not my log-in IP appearing in the FTP logs for this server.

    About the site:
    • The site does NOT run Joomla or ANY other third party software.
    • The site does NOT use PHP or ANY server side scripting.
    • Other than some Javascript to control menu buttons and Google's own site search script, which were in operation years before that attack started, the site does NOT use any client side scripting.


    Actions taken to prevent these attacks:
    • Site moved to a different server, with an entirely different FTP log-in name.
    • Before the site was moved, every single file to be uploaded to the new server was thoroughly checked locally for security vulnerabilities.
    • Randomly generated, highly obscure FTP passwords are set via the hosting service control panel, both before and after any FTP site access.
    • Three (NON-WINDOWS) computers, each with a different OS, are used in random rotation to (a) generate the random password, (b) change the password before FTP log-in, (c) perform the FTP access, (d) change the password after FTP log-in. All three computers are regularly and thoroughly checked for malware key logging and nothing has ever been found.
    • Other than the attacker, I am the only person who knows the passwords and who has FTP access to the server.


    My web hosting provider is unable to offer any solution to this issue. Can anyone here suggest anything else I could do to eliminate these attacks.

    TIA

    Dave

  2. #2
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How about your computer? Is that trojan free?

    And if the FTP password continues to change, how do you know what password to use?

  3. #3
    SitePoint Member
    Join Date
    Jul 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I physically hand write the password down and nobody else has access to the paper it is written on.

  4. #4
    SitePoint Member
    Join Date
    Jul 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sk89q View Post
    How about your computer? Is that trojan free?
    Which computer? The one running Linux, the one running BSD, or the one running Solaris?

    As stated in my original post:
    All three computers are regularly and thoroughly checked for malware key logging and nothing has ever been found.
    By "Malware" I include Trojans.

  5. #5
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,521
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    I've seen a windows computer with this sort of infection pass virus checks by AVG and nod32, with only close examination of firewall rules for svchost (a commonly allowed executeable) and hijackthis (in depth start up hook monitor) pointing it out. If you are using BSD/solaris/linux I'd think it unlikely that you'd be infected, but a firewall will indicate whether any outgoing traffic is going to places it shouldn't. FTP logins traverse the net in plain text, so you should consider your immediate network neighbourhood as it's possible that it could be sniffed by other computers with access to your local or server subnet.

    Although you aren't using any php - is php active on the server? Check your http access logs around the same time for the same ip or anything unusual.

    Other things you should do: switch to sftp, if the ftp server allows this.
    Configure the ftp server to only allow your ip/range, again if this is allowed.

    What control panel do the hosting use?

  6. #6
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I mean the fourth computer, the one you actually use yourself to manage your website.

    Unless you always login on location physically.

  7. #7
    ¬.¬ shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Are you using a secure network connection to an from the server? Any packet sniffers for example can pull out the FTP passwords since they are always sent clear text.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  8. #8
    SitePoint Member
    Join Date
    Jul 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sk89q View Post
    I mean the fourth computer, the one you actually use yourself to manage your website.

    Unless you always login on location physically.
    No there is no forth computer. The rotation of 4 operations on 3 different computers, was done so that no one computer performed the same operation (including managing the site) twice in a row. The idea being that, one could possibly have a security vulnerability, but not all three.

    The puzzling thing was how the attacker defeated this rotation and why only one of the several sites on the original server was ever attacked.

  9. #9
    SitePoint Member
    Join Date
    Jul 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Smile

    Quote Originally Posted by logic_earth View Post
    Are you using a secure network connection to an from the server? Any packet sniffers for example can pull out the FTP passwords since they are always sent clear text.
    No. I had been asking my hosting service to provide SFTP long before the attacks started and was told that due to their shared server arrangements it was not possible.

    My hosting provider FINALLY! acquiesced to my requests for the mod_wrap2 module to be implemented in the FTP server and there have been no more successful attacks in over a week.

    For anyone not familiar with this, the mod_wrap2 module provides (among other things) the facility to create 2 very simple little ftp.allow and ftp.deny files in the root directory, which limit the IP range of any FTP sever access.

    Thanks to all who offered advice on this issue.

  10. #10
    SitePoint Member
    Join Date
    Sep 2008
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okey I had same FTP auto precess problem but not Ifram injection attacks, few Virus was adding bad links and other malicious links to my sites automatically, though I don't know about Iframe Injection Attacks.

    But Try these to solve automatic process though FTP -

    1. Change your FTP password.

    2. If you have selected "Remember password" on your FTP just remove tick mark from that option and try to add FTP details manually instead of saving on your PC.

    Hope that will help you out a bit.

    Thanks.
    Looking for web banners? -
    Banner design

  11. #11
    SitePoint Addict skunkbad's Avatar
    Join Date
    Apr 2008
    Location
    Temecula, CA
    Posts
    272
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've had a similar attack on my FTP this last weekend.

    The inserted malicious scripting was not iframes, but rather redirects placed in .htaccess, hidden html links, and also php redirects placed within index.php. In all cases, it was obvious that the malicious scripting insertion was automated, because if the attack had placed the code in the proper place, it may have worked. Fortunately, none of the scripting actually worked, and I had cleaned it within 2 hours of initial attack.

    In my case, the FTP passwords were sent back to a bot net via my mom's infested computer, sniffing network traffic and because I had not been using a secure FTP connection method, my passwords were snatched up in real time. It is obvious that it is a bot network because FTP logs showed connections made from NL, US, and NZ (virtually all at the same time). The location of the bot is not important. It could be your neighbor's computer, or one on the north pole. If it has received orders to attack, it will do as it is told.

    I changed the passwords from the control panel, and am using a secure connection for FTP. No further problems. Hoping that it stays that way. All passwords are now stored on paper. Many people online claim that these virus/trojans are gathering the FTP logins from FileZilla or any other common FTP client.

  12. #12
    SitePoint Member
    Join Date
    Jul 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Bannerdesigner View Post
    Okey I had same FTP auto precess problem but not Ifram injection attacks, few Virus was adding bad links and other malicious links to my sites automatically, though I don't know about Iframe Injection Attacks.

    But Try these to solve automatic process though FTP -

    1. Change your FTP password.

    2. If you have selected "Remember password" on your FTP just remove tick mark from that option and try to add FTP details manually instead of saving on your PC.

    Hope that will help you out a bit.

    Thanks.
    Many thanks for your suggestions. In my original post I gave details of my method of routinely changing passwords, using 3 different computers and the passwords are never stored on any of these computers.

  13. #13
    SitePoint Addict skunkbad's Avatar
    Join Date
    Apr 2008
    Location
    Temecula, CA
    Posts
    272
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bmcs View Post
    Many thanks for your suggestions. In my original post I gave details of my method of routinely changing passwords, using 3 different computers and the passwords are never stored on any of these computers.
    The real key to stopping the FTP passwords from being stolen is to use SFTP or FTPes. Until you encrypt the FTP, your username and passwords are in the clear.

  14. #14
    SitePoint Member
    Join Date
    Jul 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unhappy

    Now I am at total loss. I added and successfully tested the ftp.allow and ftp.deny files. However, on Sept 20 the attacker succeeded in uploading the same 7 maliciously coded files, plus a php file which was not part of the previous attacks. This new file does not contain any kind of scripting that I have ever seen before. In that it is not a normal php text file, but appears to be a large base64 encoded string.

    The ftp logs show no evidence of any ftp log-in on that day. Therefore, I can only assume the attacks are not being propagated via ftp.

    I have now tried everything I can think of and that has been suggested to me by numerous knowledgeable people, but all to no avail. So I guess I am just going to have to live with the attacks, or close the site down.

    Dave

  15. #15
    SitePoint Member
    Join Date
    Jul 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by skunkbad View Post
    The real key to stopping the FTP passwords from being stolen is to use SFTP or FTPes. Until you encrypt the FTP, your username and passwords are in the clear.
    Yes, I am aware that this is the the answer, but as I explained in a previous post:

    I had been asking my hosting service to provide SFTP long before the attacks started and was told that due to their shared server arrangements it was not possible.
    Although it now appears that the attacker is not accessing the site via ftp.

  16. #16
    SitePoint Addict skunkbad's Avatar
    Join Date
    Apr 2008
    Location
    Temecula, CA
    Posts
    272
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should look at the FTP logs. In my case, I was dealing with a bot net, so the attacks don't necessarily come from the same IP, IP block, country, etc. If you aren't connecting securely, you're going to keep getting modifications to your website. Since your host doesn't seem to be accommodating in regards to allowing some sort of secure FTP, you really need to change to one that does. One of my sites was accessed from 3 different countries at the same time. There's no telling how many zombie computers could be responding to their master, and where they would be.

    Now that you have that base64 encoded file on your site, if you decode the encoded string, you might be able to find out what other damage to your site has been done, or what the purpose of the file is.

    The common denominator in all of this is you or your network. This really has to be where the problem is, especially since you said you changed servers.

  17. #17
    SitePoint Addict skunkbad's Avatar
    Join Date
    Apr 2008
    Location
    Temecula, CA
    Posts
    272
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here are the IPs that logged in to my websites through FTP on Friday / Saturday:

    78.132.213.81
    78.84.138.235
    158.108.127.191
    93.72.247.96
    75.66.11.62
    173.26.116.211

    The top four IPs were simultaneous connections, or least they all did their business within the same minute according to the file properties.

  18. #18
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,521
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    Have you checked your http logs as well? Have you checked that the mod_wrap2 is actually in effect (tried logging in from a disallowed ip range)?
    You should chmod all files and directories so that there is strictly no write and execute permissions for the web user.
    Did you ever ascertain whether php is active for your account?
    I'd second the notion to go with a more proactive host - I suspect the value of the time you've spent attending to these issues (and may continue to do so) probably would have paid for alternative hosting provision many times over.

  19. #19
    SitePoint Addict Avactis's Avatar
    Join Date
    May 2006
    Posts
    391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try to execute this command via system php functions (e.g. exec): cat /etc/passwd
    You will see the list of the users on your server.

    If you will be able to cd and ls -la the web directory of some user from the list, change your hosting immediately!
    Avactis Shopping Cart & CMS - Easy integration into existing
    site design. Ecommerce Hosting with Free support.

  20. #20
    SitePoint Addict Miraculix's Avatar
    Join Date
    Sep 2004
    Location
    NYC
    Posts
    388
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do you have a database? It could be a form of sql injection.
    It doesn't matter if you don't have php scripts. If php is compiled on the server, it could a server side attack or other forms of code injection.

    We have a cron job which checks pages you specify for iframe attacks and strips them out.

    Good luck,

  21. #21
    SitePoint Zealot cpace1983's Avatar
    Join Date
    Sep 2009
    Posts
    153
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would seriously take a look at your host's security, what version of Apache/PHP are they running (phpinfo)?
    I am a Freelance Linux Consultant.
    I offer flat rate Linux support, as well as hourly support.
    Feel free to visit my blog, Ramblings of a Linux Administrator.

  22. #22
    SitePoint Evangelist stonedeft's Avatar
    Join Date
    Aug 2009
    Posts
    586
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have had a similar scenario a year ago, it turned out the virus was uploaded on my CGI Bin
    Don't Panic

  23. #23
    SitePoint Enthusiast null101's Avatar
    Join Date
    Apr 2009
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sk89q View Post
    How about your computer? Is that trojan free?

    And if the FTP password continues to change, how do you know what password to use?
    Exactly what I was about to ask. Also, do you have any sort of upload forms that could be exploited? Avatars, image upload, etc? It's possible he managed to sneak some code on your server, get a C99 on there, and started uploading malicious code. If you migrated your existing code, it wouldn't be hard for him to repeat what he did.
    Scumlabs.com - Free flash games
    Play Super Mario Flash!
    Play Raiden X!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •