Warning: Iframe based attacks using stolen FTP access info
There seems to be a hacker out there (looks like they are from Egypt) targeting X-Cart sites with iframe based attacks. Basically they are gaining FTP access to a site and adding an iframe to existing index files, or adding new index files in all of the directories. The iframe loads a virus to anyone who accesses the site, both the admin side and the customer side. As you can imagine, this can be extremely damaging to your store if all of your customers get hit with this virus (particularly if they don't have anti-virus software). If you suddenly start to get a 'secure and insecure' warning in the admin, and see something loading other than your domain, close your browser immediately and contact your host.
The accounts that were hacked (the ones I know of) had FTP passwords that are just about impossible to hack, which means the account data was stolen/intercepted. Where it was stolen from is something myself and a few others are investigating as we speak. In any event, now would be a VERY good time to change your FTP password, particularly if you have had work done on your site by anyone outside your organization. This can usually be done via your host's control panel. You can also block these specific IP addresses which seem to be the source of some of the attacks (although these are probably just a proxy): 41.232.70.12 41.232.70.190 41.232.69.30 41.232.69.144 This is a serious threat, so please treat it as such - don't just dismiss this as 'it can't happen to me'. |
Re: Warning: Iframe based attacks using stolen FTP access info
In my version (4.1.10) the following security measure is implemented in the config.php file.
Code:
# Should this not stop the attack which you are talking about? |
Re: Warning: Iframe based attacks using stolen FTP access info
Na, that keeps X-Cart from being shown IN an Iframe, I don't think it prevents an iframe from being shown IN X-Cart...
|
Re: Warning: Iframe based attacks using stolen FTP access info
photo, that prevents the shopping cart from being displayed within an iframe.
|
Re: Warning: Iframe based attacks using stolen FTP access info
I see. Were these hacks in the latest versions (4.1.10 & 4.1.11) of Xcart?
|
Re: Warning: Iframe based attacks using stolen FTP access info
I've seen the hacks in 4.0 sites and the latest 4.1 sites, with hackersafe and every security measure possible, including ftp p/ws of strength 100.
|
Re: Warning: Iframe based attacks using stolen FTP access info
Quote:
That is not good. Hopefully someone can figure out how these clowns are getting the access info. |
Re: Warning: Iframe based attacks using stolen FTP access info
Wow, that's a serious comprimise....
Thanks for letting us know Padraic! |
Re: Warning: Iframe based attacks using stolen FTP access info
Paul,
What I've seen are iframes loading a live-counter URL. Is that what you have seen as well? photo, This is not an x-cart vulnerability but FTP passwords are being leaked somewhere. |
Re: Warning: Iframe based attacks using stolen FTP access info
How do you mean Emerson?
|
All times are GMT -8. The time now is 10:59 PM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.