Re: Warning: Iframe based attacks using stolen FTP access info
 

Is this issue possibly related to certain server control panels like Cpanel?

Re: Warning: Iframe based attacks using stolen FTP access info
 

photo,
It is a possibility but I am leaning more towards a source of logins have been breached.
We had 4 cases here and at first I thought maybe our system was compromised but after further investigation it was concluded that those logins were not available in our system.
So either a helpdesk somewhere has been hacked or e-mails are being interecepted somewhere.
Still investigating as we do not have much information to pinpoint the source of the problem and that is one of the reasons of this thread, so we can get as much information as possible.

We are instructing our customers to not give out their FTP logins to anyone, instead they should create a separate login and once the work is done they can delete that login.

Re: Warning: Iframe based attacks using stolen FTP access info
 

I would presume that the largest concentration of logins and passwords would be with X-Cart tech support. I hope that is not compromised. That would truly be a catastrophe.

Edit: Come to think of it, I'm guessing X-Cart recommended hosts would have quite a few number of ftp passwords too in their systems. We know that Emerson's safe so it would be great if the other companies can confirm their status too.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Yea, this is clearly not an X-Cart vulnerability - but pure information theft. Emerson's servers are locked up tight, so it has to be a leak somewhere.

Re: Warning: Iframe based attacks using stolen FTP access info
 

I got hit too. I am at Hands-On - so it seems not likely a vulnerability with the hosts.

I never give out the root ftp passwords, but have created ftp accounts for QT and various vendors - perhaps the compromise was there. My host is suggesting they may have intercepted email somehow. I did email ftp information to some vendors.

I saw the iframe edit in the main index file - am putting in a ticket to find all index files that were modified recently. (I don't have shell access - so I am having to look at directories one by one. So far - I have not found anything else.

Can anyone describe any other files or functionality that were modified? I'll be looking at all files that were changed today.

Re: Warning: Iframe based attacks using stolen FTP access info
 

It is basically every index.php file - if they aren't in a directory, they were created - so look for any index.php file created or edited on the day of the hack.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Hi gb2world.

Seems that iframes were injected in all index files.
Talk to Hands On and have them take a look at your FTP logs and see if this is related.

Actually you can look at the FTP logs yourself. They are found in the access-logs directory in your home directory.

Re: Warning: Iframe based attacks using stolen FTP access info
 

This is really bad. If they had full ftp access - They could also have picked up all the MYSQL password information. All that needs to be changed too. With access to the db - they can cause all sorts of mischief - and can have all customer information.

Re: Warning: Iframe based attacks using stolen FTP access info
 

We haven't had any reports of issues other than this one which we just received a ticket on.

I'm checking that server for issues currently, but the iFrame attacks really hadn't been present in over 2 years I think was the last time I've seen a rash of them.

Re: Warning: Iframe based attacks using stolen FTP access info
 

For example, watch for users modifying the database, changing your CC processing to manual and then changing the admin orders email address to theirs.