The IFrame hack is really annoying..

So, a few of my blogs and other php based software sites have been hacked.  Annoying and frustrating, as if I didn’t have enough headaches.

These sort of things cost time, and time is something I’ve had very little of lately.

But the mechanics of it all are fascinating, I’ve been forced to delve into a good deal of material on host security, something that used to be a fascination of mine (like a decade ago in my Network administrator, Phrack reading past life) – and I am rediscovering a real intellectual love of, and fascination with, data security.

I am now reading up again on a good deal of this stuff. Network security simply hasn’t part of my world for years now. My professional directions went one way, my personal interests went towards Rene Guenon, poetry, well, let us say the Ars Amorata .

But this incident’s reawakened a real interest in information security and tradecraft.

I find this interesting; a number of old big names from the scene in the mid 90’s now seem to be respectable professionals and have published some very, very, interesting books on data security. ORiley and Weiley presses both have some good titles.  Who better to really know how a safe works than a retired safe cracker?

This is a good book:

The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=pd_sim_b_3

And so is this one:
Rootkits: Subverting the Windows Kernel (Addison-Wesley Software Security Series)
http://www.amazon.com/Rootkits-Subverting-Addison-Wesley-Software-Security/dp/0321294319/ref=pd_sim_b_3

Phrack’s old editor back in the mid 90’s, Mike D. Schiffman (a.k.a route) also wrote what seems to be a very interesting and professional work:
“Hacker’s Challenge : Test Your Incident Response Skills Using 20 Scenarios”
http://www.amazon.com/Hackers-Challenge-Incident-Response-Scenarios/dp/0072193840/ref=ntt_at_ep_dpt_1

My budget prevents further pillaging of Amazon.com and those are thick volumes anyway.

Back to the topic.
The Iframe injection hack by itself seems simple, an intruder injects spurious code, in this case code that creates a small html iframe inside of all WebPages on your site listed as index.html, default.html, index.php and so on – this iframe in essence contains redirect code causing your viewer’s browser to redirect to, and download malicious code from, another website somewhere else (usually somewhere in China, or North Korea, or Eastern Europe) this code then runs on their computer and infects it.

I was hammered with a bad root kit / spyware / Trojan horse infection a few months ago, killed my productivity because I spent a week picking out *by hand* obfuscated dll files and patiently disabling processes with process killer and some debugging tools. It was fascinating actually, to see something that burrowed so deeply into my machine and figure out the mindset of the person who implemented it. So fascinating I started reading up on shell code and rootkit design.

Totally killed my productivity though. And the fact that it happened in the midst of a personal crisis and tragedy made things more frustrating.

I am a fan of the old approach to cracking, touch, sniff around, reverse engineer if you will, poke around, but for the love of god don’t ruin my day and productivity, destroy my data, and bog my machine down. This is an old ethos, I really have no problems with someone clever enough to pick all of my locks actually doing so. It’s a feat of intellectual prowess.

Just don’t steal anything from me, if you catch you I’m taking a lead pipe to your head.

Anyway anyone out there running wordpress blogs, take a weekend out and really sit down and read up a bit about wordpress security. And if you get hit, forward links to your ISP and stay on them. I’ve noticed that many ISP administrators don’t even realize this particular type of attack is going on.

My first task, simply resetting the unix permissions on all index files to read only, which seemed to prevent further re-infections. For now. There was a bit of obsfucation of database tables on a couple of test blogs, just in case I blew anything up.. there are more steps I will take once I have more time. Alas, time !

References for the curious:
http://arstechnica.com/security/news/2008/03/ongoing-iframe-attack-proving-difficult-to-kill.ars

http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/

http://badmalweb.com/bad-mal-web-extracts/bad-mal-web-extracts/iframe-injection-source.html

_EOF

12 Comment

  1. Were you upgraded to the latest version of WordPress, or were you running an older version?

  2. Eh.
    Slightly older .

    Which means I should upgrade.

    Though it turned out the attack would have affected newer ones as well, it is actually a client software attack. In that my personal machine was attacked, via a spyware infection, that scanned through all of my saved passwords in various programs, decrypted them, and used them to do this…

    Which means I have a mess on my hands 🙂
    In a way, my fault.

  3. Ah, sorry to hear. My advice? Get the latest version of Firefox AND the NoScript addon. I only allow JavaScript on certain websites that I trust. So in general I surf with JavaScript off. Most spyware operate through these.

  4. Sensible advice 🙂

    So, do you ever float through Cincy anymore?

  5. it was very good

  6. Well double thank you.

  7. This is all good advice. I can’t believe I got so lax when it comes to security. I used to be very conscious about security.

    My own computer’s lack of defenses was the vector through which my own sites were cracked.

    After scans by several antivirus programs, hunting down rootkits, and plucking dl files out by hand, and traversing through the windows registry by hand, I am of the opinion that there were so many small covert hooks placed in my own system that I’m better off just putting Linux on it. It runs very clean now, but I don’t trust it..

    I used to run both Slackware and Redhat Linux years ago, since then the world of linux has evolved considerably. I am very comfortable with it, the only snag being I need t research more about modern Windows emulation software on Linux. There used to be dosemu, “Wine”, and Wabi – but it’s been years since then…
    I really only need to run photoshop and some music Studio software.

    The whole experience did one thing though, it reignited an intellectual fascination with computer security. I’m examining the guts and innards of some of the “rootkits” used to burrow malware into my computer. Fascinating stuff.

  8. Hi! I was surfing and found your blog post… nice! I love your blog. 🙂 Cheers! Sandra. R.

  9. Well thank you kindly.

  10. I love your site. 🙂 Love design!!! I just came across your blog and wanted to say that I

  11. Sign: umsun Hello!!! rcuwwymhyw and 5453ssgfhphzye and 3231Thanks. We look forward to hearing from you again and for your opinions on the world of work.

  12. Sign: wdpad Hello!!! fkyrr and 5392ftcpenyykp and 202 : Hi! I was surfing and found your blog post! nice! I just came across your blog and wanted to say that Ive really enjoyed it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.