Warning: Iframe based attacks using stolen FTP access info

balinor · #1 10-22-2008, 10:27 AM

There seems to be a hacker out there (looks like they are from Egypt) targeting X-Cart sites with iframe based attacks. Basically they are gaining FTP access to a site and adding an iframe to existing index files, or adding new index files in all of the directories. The iframe loads a virus to anyone who accesses the site, both the admin side and the customer side. As you can imagine, this can be extremely damaging to your store if all of your customers get hit with this virus (particularly if they don't have anti-virus software). If you suddenly start to get a 'secure and insecure' warning in the admin, and see something loading other than your domain, close your browser immediately and contact your host.

The accounts that were hacked (the ones I know of) had FTP passwords that are just about impossible to hack, which means the account data was stolen/intercepted. Where it was stolen from is something myself and a few others are investigating as we speak.

In any event, now would be a VERY good time to change your FTP password, particularly if you have had work done on your site by anyone outside your organization. This can usually be done via your host's control panel.

You can also block these specific IP addresses which seem to be the source of some of the attacks (although these are probably just a proxy):

41.232.70.12
41.232.70.190
41.232.69.30
41.232.69.144

This is a serious threat, so please treat it as such - don't just dismiss this as 'it can't happen to me'.

photo · #2 10-22-2008, 10:36 AM

In my version (4.1.10) the following security measure is implemented in the config.php file.

Code:

#
# The constant FRAME_NOT_ALLOWED forbids calling X-Cart in IFRAME / FRAME tags. 
# If you do not use X-Cart in any pages where X-Cart is displayed through a 
# frame, this option can be enabled to enhance security. This option prevents 
# attacks in which the attacker displays X-Cart through a frame and, using web 
# browser vulnerabilities, intercepts the information being entered in it.
#
define("FRAME_NOT_ALLOWED", true);

Should this not stop the attack which you are talking about?

balinor · #3 10-22-2008, 10:37 AM

Na, that keeps X-Cart from being shown IN an Iframe, I don't think it prevents an iframe from being shown IN X-Cart...

Emerson · #4 10-22-2008, 10:38 AM

photo, that prevents the shopping cart from being displayed within an iframe.

photo · #5 10-22-2008, 10:41 AM

I see. Were these hacks in the latest versions (4.1.10 & 4.1.11) of Xcart?

pauldodman · #6 10-22-2008, 11:47 AM

I've seen the hacks in 4.0 sites and the latest 4.1 sites, with hackersafe and every security measure possible, including ftp p/ws of strength 100.

photo · #7 10-22-2008, 11:51 AM

Quote:

Originally Posted by pauldodman

I've seen the hacks in 4.0 sites and the latest 4.1 sites, with hackersafe and every security measure possible, including ftp p/ws of strength 100.

That is not good. Hopefully someone can figure out how these clowns are getting the access info.

finerpeter · #8 10-22-2008, 11:52 AM

Wow, that's a serious comprimise....

Thanks for letting us know Padraic!

Emerson · #9 10-22-2008, 11:53 AM

Paul,

What I've seen are iframes loading a live-counter URL. Is that what you have seen as well?

photo,
This is not an x-cart vulnerability but FTP passwords are being leaked somewhere.

finerpeter · #10 10-22-2008, 12:01 PM

How do you mean Emerson?