X-Cart forums - View Single Post - Warning: Iframe based attacks using stolen FTP access info

gennarof · #**192** 11-10-2008, 01:36 PM

The files on my server that were hacked in this way were limited to the mm_ bla bla bla.php files associated with firetank software. Cleaned the files many times and replaced them on the server and everything would run fine for a while then bam... Same text added to end of file echo ..... bla bla bla.. then firetank Marketing Manager software wouldn't run without errors attributable to the two hacked files. Each time I cleaned the files marketing manager would run for a while then give me an error message
Bear In mind that I almost always use CoreFTP lite to FTP up to MY Server

Here is how I solved my problem.

Scanned server found no trojans no virus's.

Scanned pc hard drive picked up a few small files with addware no virus's.

changed ftp passwords. FTP'd to site cleaned two files, ran marketing manager on and off for about 20 min.... then problem returned..

did this same thing four of five more times with very similar experience. Only the last time I did this I got an error message while ftp"d to the server.. The message looked to me to be partly in an asian language. Strange to me so I repaired the files again and everything worked ok for a while then hacked file again.

As I said before, Normally I used CoreFTP lite to ftp up to the server.

What I did to edit the bad line of code from the two hacked files was ftp'd up to the server using WS_FTP Pro. Ran marketing manager software multiple times for most of the day no problems..

Signed on to the server with CoreFTP lite searched a few directrories and about 10 min later ran Marketing manager software and it was corrupt. Closed CoreFTP lite and went back up to server using WS_FTP Pro, edited bad lines of code out of two files. saved them and then exited.

Since I have not used CoreFTP lite, the marketing manager software has run flawlessly.

SO FOR THOSE THAT HAVE THE PROBLEM IT MAY BE COMMING FROM THE FTP CLIENT YOU ARE USING.. IF IT IS Coreftp lite I can almost assure you that it is the problem. I am still running the firetank software and have not had a repeat of the problem since I have not invoked Coreftp lite. So for me it seems that whatever is hacking my files is doing it through the FTP client CoreFTP lite only when I load the software to ftp up to the server. It is not happening with WS_FTP Pro.

Hope this helps some of you...