Re: Warning: Iframe based attacks using stolen FTP access info
 

I feel for you guys. All of you who's sites are infected. Just wonder... does any of you who's sites are/were infected closed them as soon as you discover the infection until you clean all the "bad" code in it? Some of us could click on a link to your sites from somewhere and get this virus or whatever it is. I am reading this thread for a couple of days and get more and more scared.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Hiya Steve...the first time it happened a couple of days ago, I noticed the exploit was on the shoppers side of the store....as i could see it loading in the status bar when I pulled up Mozilla.

I got my Hosting company to close the store asap. My computer was clean and the server files were all clean, before I went live again.

This time, it doesnt appear to be on the shoppers side, it seems to be in my admin side, so when I log onto the store admin, it loads in the status bar.
The store is still live at present, and they said it was okay to be live. I am waiting now on a response from the hosting co to see what action is to be taken next.

Its just so ridiculous that its happened Steve - and I am getting more and more frustrated and angry as the days go by, and clients are lost. I just hope it gets sorted asap.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Do what I did - go through every folder and subfolder by hand. So far, I've done this for 4 web sites and each site has taken approximatly 1 1/2-2 hours to fully clean out. They really got into the sites because I was even cleaning out preinstalled stats programs from my hosting company so make sure you get everything, including non x-cart fles. Just go through every directory.

Re: Warning: Iframe based attacks using stolen FTP access info
 

You don't need to go through every folder by hand - as stated above there are some scripts that can be run to clean this out for you which will minimize the time the store needs to be down.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Hi Impostercity - thanks very much for the advice. I shall look back on this thread again and check the exact code that "shouldnt" be in the files. I'm not too expert on the back end of the site. :)

Thanks Balinor...not too sure on how to use scripts...
I will take a read back and see what i can find.

Thanks guys!

Re: Warning: Iframe based attacks using stolen FTP access info
 

That's what your host is for - they should be able to help you with problems like this. If they don't, time to move to one that does.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Well the damage has been done (1 day lost) trying to clean things out. Lets hope this problem doesn't creep back. So far, I've changed all of these FTP passwords to 100 strength:

1. FTP
2. WHM (have my own server)
3. X-cart Logins

Later today, my x-cart guru is looking into dbase exploits (if there are any) and see what can be done about that. Has anyone experienced db exploits of any kind or can shed some light on this matter?

Re: Warning: Iframe based attacks using stolen FTP access info
 

When you say WHM - I am not sure if you are including your database passwords. If not - it is advisable to change those as well. Your config.php file has your db passwords in it and if someone had access to your site - they could have picked them up.

There have been no database exploits reported in this thread, but best to be safe.

It is really not advisable to go through your files one by one. Not only is it time consuming - it is inefficient. You could miss something. Talk to you host about the scripts in post 64 + the added advise in post 143. Also, send the last bit of advise (after "Dear recommended hosting providers") from Ene in post 139 to your hosting provider and see if they can implement that.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Hey people, I haven't added to this thread in a while but I have been watching.

Like Emerson, CSF is enabled on our servers as a software level firewall. Quest has failed to contact us back regarding the IP number that was exploited, however we have had no further incidents from that IP.

We've also gone pretty much this entire week without any incidents and only ONE user that had a repeat incident (they failed to run any virus scanners etc and instead just changed their cPanel passwords).

To those that are suggesting checking files, contact your host. There's a reason that you pay your webhosting company each month for support. Any web hosting company SHOULD be assisting you with tracking down these incidents. If they are not, or they are dragging their feet, it's time to change hosts.

To the user with the dedicated server and wanting to know about changing WHM and cPanel securely. Contact your host - have them change it for you if you feel more comfortable. They should be able to provide this service to you.

There's been no further incidents that we have seen on our servers. We continue to run scans on our servers, but nothing is showing at all. It looks like this particular incident has passed (knock on wood).

Re: Warning: Iframe based attacks using stolen FTP access info
 

Thanks gb2world & Conor. Appreciate the advice.

Conor - so good to hear that. Fingers crossed its gone for good.

Cheers guys.