[balinor]

There seems to be a hacker out there (looks like they are from Egypt) targeting X-Cart sites with iframe based attacks. Basically they are gaining FTP access to a site and adding an iframe to existing index files, or adding new index files in all of the directories. The iframe loads a virus to anyone who accesses the site, both the admin side and the customer side. As you can imagine, this can be extremely damaging to your store if all of your customers get hit with this virus (particularly if they don't have anti-virus software). If you suddenly start to get a 'secure and insecure' warning in the admin, and see something loading other than your domain, close your browser immediately and contact your host.

The accounts that were hacked (the ones I know of) had FTP passwords that are just about impossible to hack, which means the account data was stolen/intercepted. Where it was stolen from is something myself and a few others are investigating as we speak.

In any event, now would be a VERY good time to change your FTP password, particularly if you have had work done on your site by anyone outside your organization. This can usually be done via your host's control panel.

You can also block these specific IP addresses which seem to be the source of some of the attacks (although these are probably just a proxy):

41.232.70.12
41.232.70.190
41.232.69.30
41.232.69.144

This is a serious threat, so please treat it as such - don't just dismiss this as 'it can't happen to me'.