Re: Warning: Iframe based attacks using stolen FTP access info
 

Yep, that's the same guy. Really need to figure out how this is happening - there HAS to be a data leak somewhere....

Re: Warning: Iframe based attacks using stolen FTP access info
 

Hi,
I am just getting the ftp log in report so i can see hwat sort of date ect

Re: Warning: Iframe based attacks using stolen FTP access info
 

Looks like same ip address on the 8th october 41.232.71.112 eygpt

Re: Warning: Iframe based attacks using stolen FTP access info
 

I had given this command to Emerson yesterday and a couple of other people who have dedicated servers, but this is what we're using to find the "live-counter" information:


What this command is doing:
Find = find
/home/*/public_html = the directory. We search all USER directories (*) and the public_html inside of it.
-exec = execute
grep = find certain words
-n = print the file and line number that you find the word on
live-counter = the word we're searching for
/dev/null {} \; = stuff to make it happen in the background, then output results to your screen.

This command is run through SHELL. If you don't have shell, ask your host to run it for you (or a modified version searching your files).

Here's another command that one of our users asked about:


the "XXXXXXXX" is the username on the account.

What this is doing is finding all "-type f" (FILES) that have been "-mtime" (MODIFIED) in the last "-16" days. Then it runs an "ls -ltra" - which is a listing of the files with the date and time stamp. And then "> output.txt" - output the results to a text file.

You will likely get a lot of TEMPLATE files listed on there through the template cache, but beyond that, it may help those looking to locate files that have been modified since October 8th.

EDIT: --- RUN an "updatedb" on the command line first. This will update the index on where files are located and prevent the listing of files that are no longer in existance etc.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Everyone that this has happened to, have you guys checked your hosts file on your windows computer (Normally at C:\WINDOWS\system32\drivers\etc) to make sure there is no DNS exploit?

Re: Warning: Iframe based attacks using stolen FTP access info
 

Hi,
Thanks for that info i am working on it now alos i will check the windows files on my pc.

cheers

Re: Warning: Iframe based attacks using stolen FTP access info
 

Manolodf, I was hit with the iframe attack too. Can you elaborate on what to look for in my local computer? I looked into the \drivers folder as you suggested. I did notice some files dated 10/8/2008 - but not sure what to make of that. Any advice?

Thanks.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Yes please I beg of you to elaborate more on that local computer check.

I'll do your laundry mate.

Re: Warning: Iframe based attacks using stolen FTP access info
 

hi no sorry i think he meant check your server files on your host

Re: Warning: Iframe based attacks using stolen FTP access info
 

Navigate to the directory at C:\WINDOWS\system32\drivers\etc
In there you will see a file called "hosts".
Open it with notepad and make sure that no entries have been made there.

A stock, untouched file looks like the one below:

If you see any entry other then 127.0.0.1 localhost your computer has been compromissed.

By editing that file a hacker can make your browser point to an IP that is not actually the IP where that site is hosted.

For example. Lets say that yoursite.com is supposed to point to 11.11.11.11
A hacker can edit the hosts files and add the following entry:
22.22.22.22 yoursite.com

So when you type yoursite.com in your browser, you will actualkly be visiting the site at 22.22.22.22 and not 11.11.11.11
This can be used to to further collect any logins you try at that site, etc...

Scary, huh?