Thread: Warning: Iframe based attacks using stolen FTP access info
View Single Post
  #139  
Old 10-26-2008, 07:46 AM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
   
Join Date: Aug 2004
Posts: 907
 
Default Re: Warning: Iframe based attacks using stolen FTP access info
Hi,

My 2 cents.

Quote:
Support: i can not rely on any personal opinion as it would be the huge debate, but following method is most dangerous to use exec, passthru, unescape, base64, eval
Support: i can see many methods used on your sites
Support: also php has developed safe_mode - to prevent such issue, but it has been disabled due to the need of the application

Actually it is safe to use exec/passthru/base64/eval functions. It isn't necessary to enable PHP`s safe_mode option. But it isn't necessary to enable it and is safe to use these functions, only if your host is good and secure.

So good host doesn't disable 'base64' function. Good host just makes a secure environment in order to prevent hackers` attacks.

If host thinks "Hackers use base64 function in their PHP remote shells, lets disable this function!", it looks like "People can kill using knives, let forbid knives!"
: -)


Quote from http://www.mediawiki.org/wiki/Safe_mode :

Quote:
PHP's safe_mode is an ill-conceived, broken-by-design setting in PHP that is supposed to make broken scripts safe. It was deprecated in PHP5 and removed in PHP6

-----

Quote:
This issue is related to the x-cart software, no doubt about that.

Some facts.

1. Some X-Cart stores didn't post access info to the HelpDesk ever and they were hacked.

2. Not only X-Cart sites were hacked. See some links to the phpBB and webmasterworld forums.
Also:

* http://webhostplanet.org/please-help-about-this-iframe-wierd-iframe-live-counternet-hosttrackernet/
* http://www.vbulletinsetup.org/wordpress-isssue/

Why many X-Cart sites(>10 sites) were hacked? I have two ideas:

* because we have many clients, statistically some of them caught the virus that steals FTP passwords

* somehow 3d party developer cought the virus and all his clients were hacked.

-----

Dear recommended hosting providers, Emerson, Conor and others. I suggest to implement the following modification on your and our servers.

1. Special shell script will parse all FTP logs every day.
2. If script finds the many uploads of 'index.php, index.html, main.php, default.php' files from one IP, this script will send an email to the server administrator and add this IP to the firewall.
3. We will have special thread on this forum where we will be able to post such suspicios IPs for others to ban these IPs as well.

What do you think?
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.
Reply With Quote