The IFrame hack is really annoying..

So, a few of my blogs and other php based software sites have been hacked.  Annoying and frustrating, as if I didn’t have enough headaches.

These sort of things cost time, and time is something I’ve had very little of lately.

But the mechanics of it all are fascinating, I’ve been forced to delve into a good deal of material on host security, something that used to be a fascination of mine (like a decade ago in my Network administrator, Phrack reading past life) – and I am rediscovering a real intellectual love of, and fascination with, data security.

I am now reading up again on a good deal of this stuff. Network security simply hasn’t part of my world for years now. My professional directions went one way, my personal interests went towards Rene Guenon, poetry, well, let us say the Ars Amorata .

But this incident’s reawakened a real interest in information security and tradecraft.

I find this interesting; a number of old big names from the scene in the mid 90’s now seem to be respectable professionals and have published some very, very, interesting books on data security. ORiley and Weiley presses both have some good titles.  Who better to really know how a safe works than a retired safe cracker?

This is a good book:

The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=pd_sim_b_3

And so is this one:
Rootkits: Subverting the Windows Kernel (Addison-Wesley Software Security Series)
http://www.amazon.com/Rootkits-Subverting-Addison-Wesley-Software-Security/dp/0321294319/ref=pd_sim_b_3

Phrack’s old editor back in the mid 90’s, Mike D. Schiffman (a.k.a route) also wrote what seems to be a very interesting and professional work:
“Hacker’s Challenge : Test Your Incident Response Skills Using 20 Scenarios”
http://www.amazon.com/Hackers-Challenge-Incident-Response-Scenarios/dp/0072193840/ref=ntt_at_ep_dpt_1

My budget prevents further pillaging of Amazon.com and those are thick volumes anyway.

Back to the topic.
The Iframe injection hack by itself seems simple, an intruder injects spurious code, in this case code that creates a small html iframe inside of all WebPages on your site listed as index.html, default.html, index.php and so on – this iframe in essence contains redirect code causing your viewer’s browser to redirect to, and download malicious code from, another website somewhere else (usually somewhere in China, or North Korea, or Eastern Europe) this code then runs on their computer and infects it.

I was hammered with a bad root kit / spyware / Trojan horse infection a few months ago, killed my productivity because I spent a week picking out *by hand* obfuscated dll files and patiently disabling processes with process killer and some debugging tools. It was fascinating actually, to see something that burrowed so deeply into my machine and figure out the mindset of the person who implemented it. So fascinating I started reading up on shell code and rootkit design.

Totally killed my productivity though. And the fact that it happened in the midst of a personal crisis and tragedy made things more frustrating.

I am a fan of the old approach to cracking, touch, sniff around, reverse engineer if you will, poke around, but for the love of god don’t ruin my day and productivity, destroy my data, and bog my machine down. This is an old ethos, I really have no problems with someone clever enough to pick all of my locks actually doing so. It’s a feat of intellectual prowess.

Just don’t steal anything from me, if you catch you I’m taking a lead pipe to your head.

Anyway anyone out there running wordpress blogs, take a weekend out and really sit down and read up a bit about wordpress security. And if you get hit, forward links to your ISP and stay on them. I’ve noticed that many ISP administrators don’t even realize this particular type of attack is going on.

My first task, simply resetting the unix permissions on all index files to read only, which seemed to prevent further re-infections. For now. There was a bit of obsfucation of database tables on a couple of test blogs, just in case I blew anything up.. there are more steps I will take once I have more time. Alas, time !

References for the curious:
http://arstechnica.com/security/news/2008/03/ongoing-iframe-attack-proving-difficult-to-kill.ars

http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/

http://badmalweb.com/bad-mal-web-extracts/bad-mal-web-extracts/iframe-injection-source.html

_EOF