Knowledgebase: Linux Hosting (CPanel)
Iframe Attack - Reported Attack Site when browsing with Firefox
Posted by Mohd Johani on 24 December 2009 06:27 PM
Mozilla Firefox blocked the access toward your website with an error message of "Reported Attack Site!". It may only happen if visitors browse your website by using Mozilla Firefox. However,there is no error message prompt if they browse the website by using Internet Explorer (IE).
Error message as per below appeared upon browsing the affected website:
Please be informed that this error is NOT caused by the server. Below are the detailed explanation:
1. The code vulnerability.
- Affecting both websites developed by custom made coding or website that use open source application such as Wordpress/Joomla and etc. If those application are not being patched up & updated properly, the chances of being affected is high.
2. Weak FTP password.
- Brute force attack may easily cracked a weak password due to the password structure.
3. The client's machine (PC / laptop) being infected by virus. (Common way)
Detailed explanation on the attacking method.
We believe the first 2 method has been explained in "Cause" section area. However, if you still need detailed explanation on this situation, you may seek our Technical Support assistance where they will assist you promptly.
As for the 3rd method, it work as below:
a. Someone search for something in Google, probably the infected websites.
b. When the user click on the infected website/URL, his/her machine (PC/laptop) will be infected with the virus.
c. If the infected machine (PC/laptop) have FTP program installed with his/her website FTP credentials being save in the machine, the virus will inject code into the website during the FTP uploading / downloading progress.
What does this injected code do?
This kind of attack will insert a code that load the content of an external site (virus website) into your website, set the external content to be invisible and then overlay it within your website. Upon clicking a link that you see on the current page, you are actually clicking on the external loaded page and about to load the contents that was set by the attacker.
Thus the virus will propagates from client's machine to another machine from above method.
You may perform below procedure as to restore your website:
STEP 1: Verify your website status by utilizing Google Webmaster Tools at http://www.google.com/webmasters/tools/ to identify which file that you need to check further.
STEP 2: You may also refer to http://www.stopbadware.org/home/security/ to find out other detailed information regarding other kind of attacks that will cause your website to be blacklisted by the Google Team and others related preventive maintenance.
STEP 3: Proceed to perform the necessary changes on the affected code such as remove the injected code from your website coding.
STEP 4: If you have you own backup data (clean data), you may also proceed to re-populate it accordingly.
STEP 5: Request the delist from Google Team using the Google Webmaster Tools at http://www.google.com/webmasters/tools/
We ensure you that the provided workaround can help you to resolve your current issue and restore back your website accessibility. However, you may refer to following procedures for prevention:
1. Use a good antivirus software in your machine (PC/laptop) and it is up too date.
2. Ensure that you machine is clean from any threat by performed virus / malware scanning.
3. Once you have verified that your machine was clean from any threat, you need to change the FTP password to min 8 characters with combination of alphanumeric and 1 special character.