X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   News and Announcements (https://forum.x-cart.com/forumdisplay.php?f=28)
-   -   Warning: Iframe based attacks using stolen FTP access info (https://forum.x-cart.com/showthread.php?t=43161)

balinor 10-22-2008 10:27 AM

Warning: Iframe based attacks using stolen FTP access info
 
There seems to be a hacker out there (looks like they are from Egypt) targeting X-Cart sites with iframe based attacks. Basically they are gaining FTP access to a site and adding an iframe to existing index files, or adding new index files in all of the directories. The iframe loads a virus to anyone who accesses the site, both the admin side and the customer side. As you can imagine, this can be extremely damaging to your store if all of your customers get hit with this virus (particularly if they don't have anti-virus software). If you suddenly start to get a 'secure and insecure' warning in the admin, and see something loading other than your domain, close your browser immediately and contact your host.

The accounts that were hacked (the ones I know of) had FTP passwords that are just about impossible to hack, which means the account data was stolen/intercepted. Where it was stolen from is something myself and a few others are investigating as we speak.

In any event, now would be a VERY good time to change your FTP password, particularly if you have had work done on your site by anyone outside your organization. This can usually be done via your host's control panel.

You can also block these specific IP addresses which seem to be the source of some of the attacks (although these are probably just a proxy):

41.232.70.12
41.232.70.190
41.232.69.30
41.232.69.144

This is a serious threat, so please treat it as such - don't just dismiss this as 'it can't happen to me'.

photo 10-22-2008 10:36 AM

Re: Warning: Iframe based attacks using stolen FTP access info
 
In my version (4.1.10) the following security measure is implemented in the config.php file.

Code:

#
# The constant FRAME_NOT_ALLOWED forbids calling X-Cart in IFRAME / FRAME tags.
# If you do not use X-Cart in any pages where X-Cart is displayed through a
# frame, this option can be enabled to enhance security. This option prevents
# attacks in which the attacker displays X-Cart through a frame and, using web
# browser vulnerabilities, intercepts the information being entered in it.
#
define("FRAME_NOT_ALLOWED", true);


Should this not stop the attack which you are talking about?

balinor 10-22-2008 10:37 AM

Re: Warning: Iframe based attacks using stolen FTP access info
 
Na, that keeps X-Cart from being shown IN an Iframe, I don't think it prevents an iframe from being shown IN X-Cart...

Emerson 10-22-2008 10:38 AM

Re: Warning: Iframe based attacks using stolen FTP access info
 
photo, that prevents the shopping cart from being displayed within an iframe.

photo 10-22-2008 10:41 AM

Re: Warning: Iframe based attacks using stolen FTP access info
 
I see. Were these hacks in the latest versions (4.1.10 & 4.1.11) of Xcart?

pauldodman 10-22-2008 11:47 AM

Re: Warning: Iframe based attacks using stolen FTP access info
 
I've seen the hacks in 4.0 sites and the latest 4.1 sites, with hackersafe and every security measure possible, including ftp p/ws of strength 100.

photo 10-22-2008 11:51 AM

Re: Warning: Iframe based attacks using stolen FTP access info
 
Quote:

Originally Posted by pauldodman
I've seen the hacks in 4.0 sites and the latest 4.1 sites, with hackersafe and every security measure possible, including ftp p/ws of strength 100.


That is not good. Hopefully someone can figure out how these clowns are getting the access info.

finerpeter 10-22-2008 11:52 AM

Re: Warning: Iframe based attacks using stolen FTP access info
 
Wow, that's a serious comprimise....

Thanks for letting us know Padraic!

Emerson 10-22-2008 11:53 AM

Re: Warning: Iframe based attacks using stolen FTP access info
 
Paul,

What I've seen are iframes loading a live-counter URL. Is that what you have seen as well?

photo,
This is not an x-cart vulnerability but FTP passwords are being leaked somewhere.

finerpeter 10-22-2008 12:01 PM

Re: Warning: Iframe based attacks using stolen FTP access info
 
How do you mean Emerson?


All times are GMT -8. The time now is 10:55 AM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.