iFrame users under attack

A flood of SQL injection attacks on Microsoft Internet Information Servers are leaving web pages with malicious iFrames in them, and Panda Security is urging network managers to make sure their web pages haven't been infected.

Panda says the number of infected pages spiked to 282,000 in the past day, and appears to be growing. Network managers can check to see whether their pages are infected with the iFrame code by looking for a specific code string in the source code of the web page associated to an iFrame tag. The string is script src=http://www.nihaorr1.com/1.js, according to the security vendor.

If detected, this string should be eliminated immediately, says Panda, which adds that new strains of malicious code as yet unrecognised may be resident also. Panda is urging website managers to check to see whether their web pages are being manipulated and is offering a free scan at its Infected or Not? website.

"It appears to have started [Wednesday] with these SQL injection attacks," says Ryan Sherstobitoff, Panda's chief corporate evangelist. There's ongoing research into the problem, the source of which may trace back into Eastern Europe or Russia, he says.

Neither Panda nor any other security firm Sherstobitoff is aware of has identified the exact vulnerability in IIS that is the attack route for injection of the malicious iFrame, although suspicions centre on a vulnerability described in an 17 April Microsoft Security Advisory (951306) for which there is not yet a defined patch or other fix.

Malicious iFrame attacks have seen widespread growth over the past several months. Attackers embed the iFrame code in web pages to redirect victims to sites for purposes of fraud or other criminal conduct.