|
Re: Warning: Iframe based attacks using stolen FTP access info
Anyone know if xcart support use a fixed ip address?
|
Re: Warning: Iframe based attacks using stolen FTP access info
Hello,
Last night and this morning we did a thorough investigation of our infrastructure and especially support HelpDesk. We did various checks including code sanitizing, log file analysis, virus scanning, analyzed traffic patterns etc. And did not find any signs of intrusion or security breach. Also some people from this forum confirmed that during the attack were used logins that they did not submit to our HelpDesk. Some of the affected clients had absolutely empty access list. Although we found nothing we will do several prophylactic checks during next weeks. We also had a chance to analyze the attack at one of our clients server. Most likely that this virus spreads in a worm-like fasion: 1.Virus installed on the computer it scans system for cached ftp login/passwords if there are some. 2. It sends discovered login details to the central server which processes them, connects the site using ftp access, scans web directory and infects index.html/php files. 3. People viewing infected sites and virus is installed on their computers. Some of them have cached ftp access details. Then the cycle repeats. Attack was so successful because anitivirus companies included these viruses in their databases only Oct 20 - 22. So until then they run amok hitting unprotected systems. Here are reports about similar incidents from the third parties: http://www.webmasterworld.com/apache/3771650.htm http://www.phpbb.com/community/viewtopic.php?f=46&t=1096195 Although the virus dropping site seems to be blocked now it will be a good idea to change ftp/ssh access details in case if they were harvested by virus. |
Re: Warning: Iframe based attacks using stolen FTP access info
Hello Verbic,
Thank you for your update on the helpdesk issue - that will at least put our minds at ease regarding the Helpdesk being exploited. The webmasterworld post I found last night, but due to having done a number of searches on their forum (without a user account) they then blocked my IP and required me to register/login. As a result I was unable to grab the thread. I do know that it was started on 10/23, so right in the same timeframe that we are dealing with. The other one on the phpBB is from an attack in July, so while similar, not current. We continue making scans on our servers for our users, but with limited results. Also, update on Quest - no response - STILL. |
Re: Warning: Iframe based attacks using stolen FTP access info
Conor,
Yes, I had reported it to them yesterday and the day before. No word from them either. For those of you that are looking for affected files it is not just index files they are editing. I have seen /include/templater/plugins/modifier.default.php and also /Smarty-X.X.X/plugins/modifier.default.php tempered with. If you think you have been hit your best bet is contact your host and have them scan your entire home directory for you. It is much easier and more effective that way. |
Re: Warning: Iframe based attacks using stolen FTP access info
We have also found ONE file with the "main.php" being compromised.
Basically any file with the following words are the likely targets: INDEX, DEFAULT, MAIN We've seen the following: index.htm, index.html, index.php default.html, default.html, default.php modifier.default.php main.php If you are unable to find the files yourself, please contact your host and provide them the search commands as posted in post 64 here on the forums. They should be able to scan your site for any references to IFRAME and live-counter. |
Re: Warning: Iframe based attacks using stolen FTP access info
folks -- ok, so if we have a server.. what do we do? I've checked via SSH for live-counter and its come back negative..
in the meantime -- what should be done to prevent intrusion.. just change the root passwords? garz |
Re: Warning: Iframe based attacks using stolen FTP access info
Quote:
Change *ALL* passwords that relate to ftp and/or ssh, cpanel, plesk, etc. It would never hurt either to change X-cart admin passwords. Make sure your X-cart security patches are installed (although this thread doesn't relate to any X-cart vulnerabilities, but we find so many many sites that let this go and do not patch in a timely manner). Carrie |
Re: Warning: Iframe based attacks using stolen FTP access info
If you've run that scan, then that's about all at the moment. You're not infected. Change the root passwords on the system and any passwords for FTP accounts etc just to be sure.
|
Re: Warning: Iframe based attacks using stolen FTP access info
Quote:
Im seeing this.... is this ok, as the second line worries me.. 127.0.0.1 localhost ::1 localhost |
Re: Warning: Iframe based attacks using stolen FTP access info
that is ok
::1 localhost is for ipv6. Not to worry. |
| All times are GMT -8. The time now is 09:14 AM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.