Seeing that a lot of websites are plagued with Iframe Injection vulnerabilities, independent security researcher Shadab Siddiqui made up an advisory to help website administrators recover their websites after such a security hole has been exploited. He also listed some safety measures that must be implemented in order to avoid such incidents.
The first step in recovering a website after an Iframe Injection attack is to shut it down completely during the cleansing process. This must be done to ensure that the malicious elements that may have been injected are not spread to the computers of unsuspecting visitors.
According to Siddiqui, the next step is to change all the passwords.
“Although this may seem like a simple step, many people, including myself, often fail to change all the passwords immediately after an attack has been discovered,” he told us.
“You need to change all the passwords associated with the website; which include FTP passwords, SSH passwords, account passwords, database passwords, admin passwords and so on.”
Further on, administrators should make a copy of the damaged website on which they can perform further analysis.
While it’s not recommended to keep the infected files on the server, they might come in handy later in case it may be necessary to refer to the injection source code, which is why a compressed copy should be stored in quarantine.
The fourth step is a highly important one since it refers to the backup process that admins need to perform periodically to make sure that they always have a clean copy of the website.
“Do not rely on your hosting provider for a backup copy of your site. Many hosting providers say they do an automatic backup every night, however, it is more reliable if you have other backup solutions for your website,” he explained.
“Scan your backup copy with Anti-Virus software like ZoneAlarm or Trend Micro before uploading to the web server to ensure that the backup copy is free from viruses and Trojan horses.”
After the site has been restored from a clean backup copy, it must be checked. If all tests are passed, it can be reopened to the public.
“In order to ensure that the same attack does not happen again, you will need to do a full analysis of the attack and its origin. Was it because of a security hole in your application? Was it caused by a weak file permission?”
“Or is your server affected with some virus that injects this code into your website at regular intervals? You will need to understand how it happens in order to prevent it in the future. And when necessary, obtain an expert advice,” Siddiqui added.
The expert believes that the final step is implementing security measures based on the analysis of the attack. New security restrictions, upgrading all the applications that power the site, securing the web servers, these are all measures that can prevent future attacks.
In the end, let’s hear some basic advice on what must be done to secure a site against Iframe Injection attacks:
I have encountered and recovered quite a few websites that had been attacked by malicious iframe exploits in recent years and the common causes seem to be as follows:
– The website is hosted on a cheap web hosting service;
– The website is using an old version of an open source application (eg: WordPress ) which has known security issues;
– File permissions on the server are not set accordingly (eg: every file and folder on the server is set to 777 read-write-execute);
– Weakness in an application code. For example, there is not sufficient input validation;
– FTP rather than SFTP is used;
– There is no IP restriction for SSH and FTP accounts.