Warning: Iframe based attacks using stolen FTP access info

EN4U · #**121** 10-24-2008, 01:22 PM

Quote:

Originally Posted by Emerson

that is ok
::1 localhost is for ipv6. Not to worry.

Thank you Emerson, my Jaw dropped when i saw that second line........ I ran full scan with Kaspersky, all appears clear. Then proceeded to change all passwords.

Xcart login
FTP
Cpanel
Client login inforamtion

and added password to admin folder

should I run any other type of scans.... And thanks to all for alerting us on this..and a special thanks to Handson, conor and team as always...

somekindahate · #**122** 10-24-2008, 05:29 PM

Not to be rude as I'm sorry that some people had their X-Cart sites compromised, but I'm somewhat shocked by how many people are using FTP to access their servers in this thread. Is there any reason why you guys are not using SFTP? Most control panels support SFTP and I wouldn't host with a provider who doesn't allow SFTP access. With FTP everything is transferred in plain-text including your password, which is not that great of an idea when running an e-commerce store.

Steven F, one of the co-founders of Panic who make Transmit (FTP/SFTP client for Mac) summed it up well in this blog post:

http://stevenf.com/archive/dont-use-ftp.php

I don't want to be seen as pouring salt into wounds, but I figured this would be a relevant place to bring up this issue.

BCSE · #**123** 10-24-2008, 05:56 PM

Quote:

Originally Posted by somekindahate

Not to be rude as I'm sorry that some people had their X-Cart sites compromised, but I'm somewhat shocked by how many people are using FTP to access their servers in this thread. Is there any reason why you guys are not using SFTP? Most control panels support SFTP and I wouldn't host with a provider who doesn't allow SFTP access. With FTP everything is transferred in plain-text including your password, which is not that great of an idea when running an e-commerce store.

Steven F, one of the co-founders of Panic who make Transmit (FTP/SFTP client for Mac) summed it up well in this blog post:

http://stevenf.com/archive/dont-use-ftp.php

I don't want to be seen as pouring salt into wounds, but I figured this would be a relevant place to bring up this issue.

One of the reasons we do not allow FTP or any kind of non secure connection to our servers (including email connections).

Certainly doesn't guarantee you security, but atleast the traffic on your server can't be "watched" so that someone can get the login info.

Carrie

j0anne04 · #**124** 10-24-2008, 06:17 PM

I have had no issues with my x-cart files recently, however my partner has a small web hosting business where we host websites we make for customers.. about 3 months ago we had the same issue with several of our clients websites which DID NOT contain x-cart, or any e-commerce software.

There was some kind of compromise with the FTP login details, iframes were inserted and infecting anyone who visited the website, but the hacker(s) also went to the extreme of changing the email passwords & ftp/cpanel passwords.

I am going off now to change all my passwords on the server as i would hate to go through all of that again!

thanks everyone for the information you have shared. it's good to have such a fantastic support network here!

photo · #**125** 10-24-2008, 11:53 PM

Has everyone that has been hacked used FTP instead of SFTP?

PuroPlacer · #**126** 10-25-2008, 02:51 PM

Second site/server compromised here now... And that has x-cart on it too. Coincidence? None of the other 17 servers we have at different locations are compromised. None of them have x-cart installed.
Has this really not been solved yet??

PuroPlacer · #**127** 10-25-2008, 03:20 PM

I am also being told that this has not been done through FTP access

Emerson · #**128** 10-25-2008, 03:54 PM

Quote:

Originally Posted by PuroPlacer

I am also being told that this has not been done through FTP access

How did they do it for you and is it the same issues as we are seeing?
The ones we've seen are definitely done via FTP.

PuroPlacer · #**129** 10-25-2008, 04:05 PM

God knows, I got the nightwatch guy, he says the following:

Support: i can not rely on any personal opinion as it would be the huge debate, but following method is most dangerous to use exec, passthru, unescape, base64, eval
Support: i can see many methods used on your sites
Support: also php has developed safe_mode - to prevent such issue, but it has been disabled due to the need of the application

He seems to believe that this is a vulnerability in x-cart... Which would also seem most plausible to me.. Although I am not an expert on this stuff..
There were no logins visible from the other server that had been compromised either a couple days ago

Emerson · #**130** 10-25-2008, 04:11 PM

All access I've seen with this issue it was done via FTP login and it is clear in the logs.

I personally believe this is an aftermath of someone's helpdesk getting hacked into and these logins were obtained that way.

If it was a vulnerability and/or as using insecure FTP(as some have suggested here

) this would have been a much more wide spread issue and would have affected many more sites and not just a handful as we have seen. Also it would have not been limited to just x-cart users which seems to be the case so far.