This year, there has been a large increase in the number of legitimate websites infected by a so-called “iframe” threat – a type of malicious script.

Several prominent websites have come under attack from hackers who have modified the underlying code so that malware can be distributed to unsuspecting users who visit the site. When a user visits an infected site, an invisible connection is established to a remote server, which can then attempt to install malware on the user’s computer. The intention could be to generate spam, or possibly something more sinister, such as stealing personal information e.g. bank account or credit card details. The above texts are taken from Avast news letter]

How does Iframe attack happens ?

Iframes are inserted to web sites files through FTP. Normally ,  people (developers, webmasters etc) used to save the ftp password in their FTP client programs (Cute FTP, filezilla etc). In such case, if  that system is infected with virus or any malware the saved ftp password will be taken and emailed to hackers (who created the virus or malware to get the ftp details of web sites). Once hackers get this ftp password, they have automated system to insert the Iframe to web site files thorugh their FTP program.  Once the iframes are inserted to the website, when users broswse  the infected website their system also get infected with malware or virus. If users are using a good antivirus program  they may get a warning that the server is infected.

What can i do if my system is infected ?

I did not  find any anti virus program that will detect the virus or malware. I think it is best idea to Format the system and reinstall everything than taking RISK. Also Enable Firewall in the system after installing the OS

What all security methods can be taken in order to prevent this kind of iframe attack ?

Since the Iframe attack happens thorugh FTP password our first attention should go to securing FTP server.  Instead of using normaly FTP, use SFTP and this can help us upt to an extend. Also,  the best idea is to allow FTP access from allowed IPs only. This can be done using either software or hardware firewalls. Since , hardware firewall is expensive we can think of software firewalls. For windows IIS ftp service, we can deny all ips except allowed IPs.  For linux this can be done  using Iptables (http://www.hellosystemadmin.com/restrict-ftp-access-using-iptables/). The above tasks  can be  done by an administrator only and this will not be so a fast method when FTP usrs have dynamic Ip address.  So we need to think about creating some scripts (php , VB, shell ) which can be used by all  users.  For  example in a linux server we can create some PHP script which will use Iptables command to add his ip to the firewall.  I suggest a simple algorithm to do this task

Create a mysql database  with two tables  ‘users’ and ‘rules’ . The table ‘users’ includes the customer Id and password. And the second table should include CustomerID, IPAddress and Status (You can add any other fields according to your convenience). Now we needto create a php script which will call iptables command to add the firewall rule. Follwoing is sampel rule

iptables -I INPUT -s XXX.XXX.XXX.XXX  -d 0.0.0.0-p tcp -m tcp €“dport 21 -j ACCEPT

In the above command, we can pass the IP address and Status as  php variables

Is your website compromised  ? Simply fill the form given below

Assume the server’s IP address is 125.121.156.156. Now we can block all ftp connections to the server withe the following ip tables rule
iptables -I INPUT -s 0.0.0.0 -d125.121.156.156 -p tcp -m tcp –dport 21 -j DROP
Now we can allow only authorised ip by the folloing rule. Assume the IP to be allowed is 121.125.121.125
iptables -I INPUT -s 121.125.121.125 -d 125.121.156.156 -p tcp -m tcp –dport 21 -j ACCEP

Now save the iptables rule using following command
/etc/init.d/iptables save