Warning: Iframe based attacks using stolen FTP access info

balinor · #61 10-23-2008, 08:46 AM

Yep, that's the same guy. Really need to figure out how this is happening - there HAS to be a data leak somewhere....

tradedvdshop · #62 10-23-2008, 08:55 AM

Hi,
I am just getting the ftp log in report so i can see hwat sort of date ect

tradedvdshop · #63 10-23-2008, 09:01 AM

Looks like same ip address on the 8th october 41.232.71.112 eygpt

bigredseo · #64 10-23-2008, 10:25 AM

I had given this command to Emerson yesterday and a couple of other people who have dedicated servers, but this is what we're using to find the "live-counter" information:

Code:

find /home/*/public_html -exec grep -n live-counter /dev/null {} \;

What this command is doing:
Find = find
/home/*/public_html = the directory. We search all USER directories (*) and the public_html inside of it.
-exec = execute
grep = find certain words
-n = print the file and line number that you find the word on
live-counter = the word we're searching for
/dev/null {} \; = stuff to make it happen in the background, then output results to your screen.

This command is run through SHELL. If you don't have shell, ask your host to run it for you (or a modified version searching your files).

Here's another command that one of our users asked about:

Code:

find /home/XXXXXXXX/public_html -type f -mtime -16 -exec ls -ltra {} \; > output.txt

the "XXXXXXXX" is the username on the account.

What this is doing is finding all "-type f" (FILES) that have been "-mtime" (MODIFIED) in the last "-16" days. Then it runs an "ls -ltra" - which is a listing of the files with the date and time stamp. And then "> output.txt" - output the results to a text file.

You will likely get a lot of TEMPLATE files listed on there through the template cache, but beyond that, it may help those looking to locate files that have been modified since October 8th.

EDIT: --- RUN an "updatedb" on the command line first. This will update the index on where files are located and prevent the listing of files that are no longer in existance etc.

manolodf · #65 10-23-2008, 10:44 AM

Everyone that this has happened to, have you guys checked your hosts file on your windows computer (Normally at C:\WINDOWS\system32\drivers\etc) to make sure there is no DNS exploit?

tradedvdshop · #66 10-23-2008, 10:51 AM

Hi,
Thanks for that info i am working on it now alos i will check the windows files on my pc.

cheers

Manic · #67 10-23-2008, 11:00 AM

Quote:

Originally Posted by manolodf

Everyone that this has happened to, have you guys checked your hosts file on your windows computer (Normally at C:\WINDOWS\system32\drivers\etc) to make sure there is no DNS exploit?

Manolodf, I was hit with the iframe attack too. Can you elaborate on what to look for in my local computer? I looked into the \drivers folder as you suggested. I did notice some files dated 10/8/2008 - but not sure what to make of that. Any advice?

Thanks.

pixellogo · #68 10-23-2008, 11:02 AM

Yes please I beg of you to elaborate more on that local computer check.

I'll do your laundry mate.

tradedvdshop · #69 10-23-2008, 11:04 AM

hi no sorry i think he meant check your server files on your host

Emerson · #70 10-23-2008, 11:08 AM

Quote:

Originally Posted by Manic

Manolodf, I was hit with the iframe attack too. Can you elaborate on what to look for in my local computer? I looked into the \drivers folder as you suggested. I did notice some files dated 10/8/2008 - but not sure what to make of that. Any advice?

Thanks.

Navigate to the directory at C:\WINDOWS\system32\drivers\etc
In there you will see a file called "hosts".
Open it with notepad and make sure that no entries have been made there.

A stock, untouched file looks like the one below:

Quote:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost

If you see any entry other then 127.0.0.1 localhost your computer has been compromissed.

By editing that file a hacker can make your browser point to an IP that is not actually the IP where that site is hosted.

For example. Lets say that yoursite.com is supposed to point to 11.11.11.11
A hacker can edit the hosts files and add the following entry:
22.22.22.22 yoursite.com

So when you type yoursite.com in your browser, you will actualkly be visiting the site at 22.22.22.22 and not 11.11.11.11
This can be used to to further collect any logins you try at that site, etc...

Scary, huh?