We have again experienced the nasty Cross Site Scripting issue again in some of our domains. We had discussed about this IFrame issue in the past with the details about the issue and possible ways to mitigate it.

While we have not yet identified a concrete explanation for the exact source of the issue and the exact solution, we have arrived at a few workarounds which are helping us quite well in protecting our client websites.

It is widely suspected that the ftp passwords to a given domain might be compromised. Every time a site is attacked by this iframe issue and the pages are infected, the webmasters typically replace the infected pages with the correct page content.

Just this one step alone is not sufficient, as we have seen that since the ftp details are already compromised, the pages are again infected after a short period of time. This is suspected to be done by an automated script which has the ftp details stored and constantly it goes and infects the pages that do not have the iframe tag anymore in the source.
In order to avoid this from happening we have done a few specific work arounds:
a. We change the ftp passwords for all infected sites immediately.
b. We put the files that were infected in read only mode after removing the malicious code.
c. We do not disclose the password to any one except our staff who take care of our deployments.

We will continue to work on this issue until we find the exact cause and a permanent solution for this Iframe issue – permanent solution is where we can define the exact steps to be implemented for fixing this issue on any website.

Stay tuned for more updates.