Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

Warning: Iframe based attacks using stolen FTP access info

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #21  
Old 10-22-2008, 03:15 PM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Nothing has been found on our servers at this time. We currently have an iframe scan in process on 67 of our ecommerce servers - so far, no results other than this one incident.

The only thing I can comment on at the moment is that if this was a normal iFrame attack then it could have been caused by a keylogger or something of that nature. There's a mini article on the iframe incidents located here: http://forums.cpanel.net/showthread.php?t=78595

The only other information I can contribute is that in the case of this one user the iframe linked to "live-counter.net" - again something that Emerson had mentioned previously. A scan of our servers for that combination in ANY user files has not shown to be present.

EDIT: I was just informed that the URL I posted goes to a forum that requires you to log in to view the posts. I have a shortened version of the post at our KB posted here: http://billing.handsonwebhosting.com/knowledgebase.php?action=displayarticle&catid=11&i d=220
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #22  
Old 10-22-2008, 03:45 PM
 
Donster Donster is offline
 

Senior Member
  
Join Date: Aug 2008
Posts: 115
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I went into my DirectAdmin panel. I changed my password in three locations:
1. DirectAdmin Account
2. Main FTP Account
3. Main Database Account

That locked users out of the site. Is that because I should not change the Main Database Account, and if so how would one change that properly?
__________________
X-Cart Gold v4.1.10
Reply With Quote
  #23  
Old 10-22-2008, 03:47 PM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

did you remember to change the database password in the config.php file?
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #24  
Old 10-22-2008, 03:48 PM
 
finerpeter finerpeter is offline
 

Senior Member
  
Join Date: Jul 2006
Location: Montreal, QC
Posts: 159
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Make sure to change the database password in your config.php file.

EDIT: beat me to it Conor
__________________
www.finerribbon.com
X-Cart Vers: 4.5.0
Modified Creatively
Reply With Quote
  #25  
Old 10-22-2008, 03:58 PM
 
Donster Donster is offline
 

Senior Member
  
Join Date: Aug 2008
Posts: 115
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I was not even aware of it being there. New site and x-cart folks installed it. But I opened the file and see where to make the change.

How often should this be done?
__________________
X-Cart Gold v4.1.10
Reply With Quote
  #26  
Old 10-22-2008, 04:00 PM
 
Donster Donster is offline
 

Senior Member
  
Join Date: Aug 2008
Posts: 115
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Y'all can smile cause when I browsed to our site and was locked out I had that "What the F!!!!" response, and corresponding flushed feeling of fear.
__________________
X-Cart Gold v4.1.10
Reply With Quote
  #27  
Old 10-22-2008, 04:00 PM
 
finerpeter finerpeter is offline
 

Senior Member
  
Join Date: Jul 2006
Location: Montreal, QC
Posts: 159
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

It's always a good thing to periodically change your passwords Donster. We deal with digital files so we rotate our passwords once a few weeks for added security.
__________________
www.finerribbon.com
X-Cart Vers: 4.5.0
Modified Creatively
Reply With Quote
  #28  
Old 10-22-2008, 04:05 PM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

And as a general rule, if you are allowing a third party to access your site, create a temporary account for them and delete it when they are done.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #29  
Old 10-22-2008, 04:42 PM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

finerpeter I just got lucky on the refresh I guess

As for how often to change files - personally, every 90 days. All our servers get passwords changed every 90 days, as do most of the sites I visit. It's too easy to hack passwords (especially ones that a person would make), so use a random password generator to make the passwords. Most passwords for scripts or logins should have a minimum of 8 characters and for added security even 12 or 16.

Just to follow up further on this iFrame issue we have so far scanned 126 of our servers and have not had any other references to the live-counter site. All our servers are scanned by ScanAlert and ControlScan for PCI Compliance, and neither have detected intrusions through the server end of things, so this exploit through iFrame is very VERY odd.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #30  
Old 10-22-2008, 04:50 PM
 
Emerson Emerson is offline
 

X-Man
  
Join Date: Mar 2004
Location: Atlanta, GA
Posts: 2,209
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Yes, Scanalert scans all our servers too and has not picked up anything.

The more I search the more bizare this whole thing looks.
I just finished scanning all 54 servers we have and It has only been a handful of sites affected. Very very odd indeed.
__________________
Emerson
Total Server Solutions LLC- Quality X-Cart Hosting
Recommended X-Cart Hosting Provider - US and UK servers
Does your host backup your site? We do EVERY HOUR!!!
Shared Hosting | Managed Cloud | Dedicated Servers
Reply With Quote
Reply
   X-Cart forums > News and Announcements



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 05:56 PM.

   

 
X-Cart forums © 2001-2020