Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: The Other iframe attack - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Other iframe attack

A lot of readers are sending in this link from Dancho Danchev's fabulous blog thinking it's linked to the campaign:

We're also getting this sent in from McAfee's Avert Labs blog:

The campaign affected approximately 13,800 ASP pages.  No php pages.

This other attack is reported to have affected around 200,000 phpBB pages.

It's a bigger attack and very important, you should read Dancho's blog, it has IP addresses and domains to look for in your logs as well as what traffic an infected system will generate.

If you're a website administrator, also take a close read of his 04-MAR-2008 entry:

Pay particular attention to how they're inserting the code into the site (from Dancho's Blog):

"(The sites) themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names."

This is important.  It's not obvious to me how to fix the problem-- I'm hoping some can explain this better.


Kevin Liston

292 Posts
ISC Handler
Mar 15th 2008

Sign Up for Free or Log In to start participating in the conversation!