网站中的 iframe 注入
我的网站已被盗用。有人在我的网站中注入了一些 iframe 标记。
他们是如何做到这一点的?仅在我的index.html、index.php页面上。但我已经阻止了该页面的写入权限,那么他们如何能够在我的页面中写入。
它会影响我服务器上的其他页面吗?
还有其他解决方案可以阻止此问题吗?
谢谢
<?php`
include_once("commonfiles/user_functions.php");
include_once("user_redirect.php");
include_once("designs/index.html");
?>
<iframe src='url' width='1' height='1' style='visibility: hidden;'></iframe>
这是我的index.php代码在php脚本之后注入。
My website has been compromised. Some one have injected some iframe markup in my website.
How they have done this? Only on my index.html, index.php page. But I have blocked write permissions for this page, then how they able to write in my pages.
Will it effect other pages on my server?
Is there any other solutions to block this?
Thank you
<?php`
include_once("commonfiles/user_functions.php");
include_once("user_redirect.php");
include_once("designs/index.html");
?>
<iframe src='url' width='1' height='1' style='visibility: hidden;'></iframe>
This is my index.php code <iframe> is injected after the php script.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
通过 FTP 访问您网站的人(您或您的开发人员)的工作站上感染了病毒。该病毒安装了一个键盘记录程序,该程序会从您的 FTP 客户端窃取凭据并将此信息发送回黑客。
黑客收集数百个此类凭据,然后使用程序登录每个服务器,下载文件,修改它以附加 iframe 或混淆的 JavaScript 或 PHP 块,上传文件,下载下一个文件,修改,上传,下一个下载的文件可以匹配一组名称(例如仅index.、default.、home.* 等),也可以仅匹配任何html 或PHP 文件。
附加的代码通常是可见性:隐藏的 iframe 或 1x1px 大小的
一旦所有文件都被修改,攻击者就会注销。您网站的访问者将受到来自 iframe 中链接的域的恶意代码的攻击,这些代码的目的是安装病毒和 Rootkit。除其他功能外,这些病毒还会安装键盘记录器来嗅探 FTP 凭据……并且病毒会继续传播。
攻击者正在使用您的凭据,因此他们只能访问您有权访问的文件。有时,他们会使用编码的 shell 在某些目录中上传附加文件,从而允许他们返回对服务器的访问权限(常见的是 /forums 目录中的 _captcha.php 和 /gallery 目录中的 img.php 或 gifimg.php)。如果您的服务器上托管其他域,只要受影响域的用户无法访问其当前域之外的内容,其他人就不会受到影响。
有两种方法可以阻止此类攻击——预防和适当的防病毒。通过使用防火墙并将 FTP 访问限制为仅少数选定的 IP,可以轻松转移攻击。攻击者还不是从您自己的工作站进行攻击,而是从世界其他地方的服务器进行攻击。在所有能够访问您的 FTP 帐户的工作站上使用适当的防病毒软件(或者最好不要使用 Windows XP)将有助于防止原始感染的发生。
如果您被感染,使用一些聪明的 sed 来清理混乱是相当容易的,这取决于您在发现注入和制作有效的正则表达式方面的能力。否则,备份备份备份——总是有备份! ...哦,还有更改您的 FTP 密码,否则他们明天就会回来。
Someone with FTP access to your site (you or your developers) has a virus on their workstations. This virus has installed a keylogger that is stealing credentials from your FTP client and sending this information back to the hacker.
The hacker collects hundreds of such credentials and then uses a program to log into each server, download a file, modify it to append an iframe or block of obfuscated JavaScript or PHP, upload the file, download the next file, modify, upload, next, etc. The files downloaded may either match a set of names (such as only index., default., home.* etc) or just any html or PHP file.
The appended code is often either an iframe that is visibility: hidden or of 1x1px size, a <script> sourcing a remote JavaScript file on a dubious domain, a collection of Javascript obfuscated by some clever str.CharCode'ing, or a block of base64_encode'd eval()'d code. Unobfuscating the code, the result is often an iframe. More recently, some clever attackers are inserting remote shells, granting them backdoor access to your server.
Once all the files have been modified, the attacker logs out. Visitors to your site will be subject to malicious code from the domain linked in the iframe with the intention of installing viruses and rootkits. Among other functions, these viruses will install a keylogger to sniff FTP credentials... and the virus continues spreading.
The attacker is using your credentials, so they can only access files that you have access to. Sometimes, they will upload an additional file in certain directories with an encoded shell, allowing them return access to the server (the common ones are _captcha.php in /forums directores and img.php or gifimg.php in /gallery directories). If you host other domains on your server, as long as the user for the affected domain has no access beyond their current domain, others will not be affected.
There are two ways to stop this sort of attack -- prevention and proper antivirus. The attacks can be easily deflected by use of a firewall and limiting FTP access to only a few select IPs. The attackers are not attacking from your own workstation (yet), but rather a server elsewhere in the world. Using proper antivirus on all workstations with access to your FTP account -- or, better yet, not using Windows XP -- will help prevent the original infection from occurring.
If you are infected, it's fairly easy to clean the messes up using a bit of clever sed, depending how good you are at spotting the injection and making effective regexes. Otherwise, backups backups backups -- always have backups! ...Oh, and change your FTP password or they'll be back tomorrow.
如果 php 文件本身已被编辑以包含此 iframe,并且您正在运行的另一个脚本确实无法写入该文件,则有权访问该文件的用户帐户可能已被泄露。如果有一个用户帐户可以访问具有弱密码的文件,那么这将是我最有可能的罪魁祸首。
他们可能在您的网站上使用某种形式的注入来获取用户名和密码哈希值并暴力破解它们,他们可能在有权访问的某人的计算机上安装了键盘记录器,或者他们可能只是直接暴力破解了您的登录(假设您不这样做)有某种机制可以防止这种情况发生)。
我要做的第一件事是确保有权访问该机器的任何人的计算机上都没有运行病毒。然后着手更改密码。最后检查站点的 php 脚本以查找可能的注入点。问题点几乎出现在您接受某种用户输入并处理它而没有首先检查以确保处理安全的任何地方(即未能从用户登录表单中删除危险字符)。
If the php file itself has been edited to include this iframe and if there truly is no way for another script you are running to write to the file then a user account with access to the file might have been compromised. If there is a user account with access to the file that has a weak password this would be my candidate as the most likely culprit.
They may have used some form of injection on your site to acquire usernames and password hashes and bruteforced those, they might have installed a keylogger on someone's machine who has access, or they may have just brute forced your login directly (assuming you don't have some sort of mechanism in place to prevent this).
First thing I would do is ensure there are no viruses running on anyone's computer who has access to the machine. Then go about changing passwords. And finally review the php scripts of the site for possible points of injection. Trouble spots are pretty much anywhere you're taking in some kind of user input and processing it without first checking to make sure it is safe to process (i.e. failure to strip dangerous characters from a user login form).
从迄今为止发布的评论来看,几乎可以肯定有人已经获得了对已注入代码的文件具有写入权限的用户帐户的访问权限。听起来好像有人发现了一个或多个帐户密码,并以此为消遣,偶尔登录您的 FTP 并进行一些更改。您是否尝试过更改密码?我建议使用相当安全的密码,至少包含 15 个字符,并使用各种字符类型,包括不可打印的字符(如果可以的话)(使用 alt/meta 键在数字键盘上输入 UTF 代码点)。
如果更改密码后,您仍然发现相同的问题,则可能存在另一个问题。我首先会认真检查你的 PHP 脚本。无论您的脚本在何处接受来自表单的用户输入、存储在 cookie 中的数据或源自脚本本身外部的其他数据(因此可能是“脏”数据),请非常仔细地检查使用这些数据的脚本操作。如果您使用任何此类潜在脏数据来运行操作系统命令、打开/读取/写入文件或查询数据库,则该数据可能包含转义字符,这些转义字符将转义您的代码,从而允许攻击者执行任何操作他们希望在您的脚本中编写代码。
密切关注您的访问日志。您提到您从脚本中删除了注入的 iframe 代码,并且它不断被重新注入,因此如果您能在发生这种情况时捕获它,您可能会在访问日志中找到有关更改来源的线索。
From the comments that have been posted so far it seems almost certain that someone has gained access to a user account with write permissions on the files that are having code injected into them. It sounds like some individual has discovered one or more account passwords and has made it their pastime to occasionally log into your FTP and make some changes. Have you tried changing your passwords? I recommend using a fairly secure password, of at least 15 characters and using a variety of character types including unprintable characters if you are able (use alt/meta keys to enter UTF codepoints on the number pad).
If, after changing your password, you still observe the same problems, then there could be another issue. I would first seriously scrutinize your PHP scripts. Anywhere your scripts accept user input from a form, data stored in a cookie, or other data originating from outside the script itself (and therefore potentially "dirty" data), go over the operations of the script with this data very carefully. If you are using any such potentially dirty data to run an OS command, open/read/write a file, or query a database, then it is possible that the data contain escape characters that will escape your code, allowing an attacker to execute any code they wish within your script.
Keep an eye on your access logs. You mentioned that you remove the injected iframe code from your scripts and it keeps being re-injected, so if you can catch when it happens you can probably find a clue as to the source of the changes in your access logs.
请参阅此帖子,了解有关尝试阻止 iframe 的更多信息。
See this thread for more on trying to block iframes.