X-Cart forums - Warning: Iframe based attacks using stolen FTP access info

X-Cart forums (https://forum.x-cart.com/index.php)

- News and Announcements (https://forum.x-cart.com/forumdisplay.php?f=28)

- - Warning: Iframe based attacks using stolen FTP access info (https://forum.x-cart.com/showthread.php?t=43161)

Re: Warning: Iframe based attacks using stolen FTP access info

Quote:

Originally Posted by Ene

Dear recommended hosting providers, Emerson, Conor and others. I suggest to implement the following modification on your and our servers.

1. Special shell script will parse all FTP logs every day.
2. If script finds the many uploads of 'index.php, index.html, main.php, default.php' files from one IP, this script will send an email to the server administrator and add this IP to the firewall.
3. We will have special thread on this forum where we will be able to post such suspicios IPs for others to ban these IPs as well.

What do you think?

Hi Ene,

We already have something like this in place. We have all index.* files being watched on our servers.
We use CSF for our firewall and it has the capability of monitoring changes to directories and files.
You set the pattern and if any changes match those patterns we get alerted immediately.

Re: Warning: Iframe based attacks using stolen FTP access info

Quote:

We already have something like this in place. We have all index.* files being watched on our servers.
We use CSF for our firewall and it has the capability of monitoring changes to directories and files.
You set the pattern and if any changes match those patterns we get alerted immediately.

It is always great to know that our recommended hosting providers are better than the usual average hosts : -)

----

BTW:

* http://www.kb.cert.org/vuls/id/827267
* http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx:

Quote:

This vulnerability is being currently exploited in the wild.

Re: Warning: Iframe based attacks using stolen FTP access info

Quote:

Originally Posted by handsonwebhosting

I had given this command to Emerson yesterday and a couple of other people who have dedicated servers, but this is what we're using to find the "live-counter" information:

Code:

find /home/*/public_html -exec grep -n live-counter /dev/null {} \;

What this command is doing:
Find = find
/home/*/public_html = the directory. We search all USER directories (*) and the public_html inside of it.
-exec = execute
grep = find certain words
-n = print the file and line number that you find the word on
live-counter = the word we're searching for
/dev/null {} \; = stuff to make it happen in the background, then output results to your screen.

This command is run through SHELL. If you don't have shell, ask your host to run it for you (or a modified version searching your files).

Here's another command that one of our users asked about:

Code:

find /home/XXXXXXXX/public_html -type f -mtime -16 -exec ls -ltra {} \; > output.txt

the "XXXXXXXX" is the username on the account.

What this is doing is finding all "-type f" (FILES) that have been "-mtime" (MODIFIED) in the last "-16" days. Then it runs an "ls -ltra" - which is a listing of the files with the date and time stamp. And then "> output.txt" - output the results to a text file.

You will likely get a lot of TEMPLATE files listed on there through the template cache, but beyond that, it may help those looking to locate files that have been modified since October 8th.

EDIT: --- RUN an "updatedb" on the command line first. This will update the index on where files are located and prevent the listing of files that are no longer in existance etc.

I would definitely suggest modifying the code line above and removing the public_html. On one of the sites I do programming for he received this nasty little bug and I found some instances of the iframe located within pages for the stats programs they are running, which is before the public_html web accessible directory.

I also suggest doing a search of all your files for anything using the following:

document.write(unescape(

I know it is used in the Google Analytics code, but if you find it within our files and do not know why it is there I would be asking some MAJOR questions. : )

I for one can also say I know this did not happen due to x-carts help desk as I have not used their help desk and have not given the FTP password to anybody but my client that I do programming for.

Good luck to everybody....

Re: Warning: Iframe based attacks using stolen FTP access info

Is there really still no answer to HOW this happened?

Re: Warning: Iframe based attacks using stolen FTP access info

We may never know the specifics, but it looks like it started with someone who had a few X-Cart FTP logins on their computer, got the virus which infected those sites and it was all downhill from there. If you are looking for blame, you probably are never going to find the actual 'Typhoid Mary' who started it all.

Re: Warning: Iframe based attacks using stolen FTP access info

If people post their exploited url, and all the people who have had FTP access, a common denominator could likely be found.

Re: Warning: Iframe based attacks using stolen FTP access info

Quote:

Originally Posted by Jon

If people post their exploited url, and all the people who have had FTP access, a common denominator could likely be found.

I agree, start listing your providers that might have had FTP Information and pretty soon the finger will start pointing at whoever it was stolen from.

Re: Warning: Iframe based attacks using stolen FTP access info

The thing is, it could have been stolen from - well - yourself. If you visited a site with the hack, you'd get the virus, and thus infect your site if you didn't have adequate virus protection. So it may not be one source, but hundreds.

Re: Warning: Iframe based attacks using stolen FTP access info

People that have run scans and have noticed they themselves have been exploited should not mention or contribute to the list, but ones that have scanned and have not found the exploit should say who had their information to find a common denominator. If you had an exploit then assume that it was stolen from yourself, only if your computer(s) is clean then start listing out providers and other people with access.

Re: Warning: Iframe based attacks using stolen FTP access info

It seems that it might be easier to provide that kind of information if there was a central place assigned to colect and analze that data - perhaps someone assigned at QT or one of the service providers that is aleady studing this? I'm reluctant to post that on the forum because the speculation in an open forum could mistakenly target the wrong person and hurt their business.