Warning: Iframe based attacks using stolen FTP access info

PuroPlacer · #**131** 10-25-2008, 04:19 PM

Quote:

Originally Posted by Emerson

All access I've seen with this issue it was done via FTP login and it is clear in the logs.

I personally believe this is an aftermath of someone's helpdesk getting hacked into and these logins were obtained that way.

If it was a vulnerability and/or as using insecure FTP(as some have suggested here

) this would have been a much more wide spread issue and would have affected many more sites and not just a handful as we have seen. Also it would have not been limited to just x-cart users which seems to be the case so far.

Well, IF someone's helpdesk has been hacked, it is qualiteam, as one of these server's info was ONLY given to them, I can say that with 100% certainty.

This issue is related to the x-cart software, no doubt about that.

I am kind of missing info from them here, this is an extremely serious issue, and I would expect them to come in and try to identify the source of the problem. Now.

PuroPlacer · #**132** 10-25-2008, 04:23 PM

Last one was live-counter.net and also this one:
http://hosttracker.net/?click=123456

Also, from googling it, it looks like an iframe attack?
google "iframe attacks"
edit: exploiting the code/php I mean?
again, I am not an expert on this

Also, with FTP access, it seems very strange they have not caused total mayhem,

BCSE · #**133** 10-25-2008, 05:18 PM

One thing to consider on how this happened is that someone's computer who has access to these various X-cart sites was infected with a keylogger virus which inturn provided ftp info to many sites. So it wouldn't necessarily have to be a helpdesk intrusion. Could simply be a PC intrusion on a key person or group of people.

We've had one client that we know of that has had this problem, and from our experience with them, there was no evidence in an X-cart vulnerability allowing them in. There was no suspicious activity noted in the http logs. Only activity in the ftp logs. They were also up-to-date on the security patches except for the ones this summer which they had scheduled to do right at the same time this was found. That client also got infected by their *own* site by the keylogger (or possibly they were infected before the attack which provided the ftp information, I don't think we know when they got infected).

Carrie

sunset · #**134** 10-26-2008, 05:08 AM

Hi Guys.

My store was exploited too. Livecounter and that hostracker was displaying in my mozilla status bar as my site was loading.

My host has been kind enough to check through some of my files and remove the iframe exploit & has changed my cpanel password.

I have scanned my computer here...and it appears that two cookies just wont go away.... "DoubleClick" and "Right Media". I am not game enough to go into my admin or cpanel for fear of them tracking me on my computer.

I'm not too tech savvy...and i'm sitting here like a stunned mullet not knowing where or what to do next...actually I could cry...

The worst bit was that when i was seeing this load in the browser status bar, I got an email from a client, whose virus scanner detected something on my site. He was quick to mention the following:

"I am an experienced IT professional and wanted to let you know (just incase you don▓t) that your website contains malicious software which is trying to breach our computer via port 50244 each time we click on a link.
This doesn▓t really do much in the trust stakes for customers wanting to purchase online from your website. We do not feel safe providing our credit card details to purchase online.

Could I suggest forwarding this email to your website designers for action."

So a very embarrassing experience from my perspective.

I would be so greatful of any help.

Thanks guys.

photo · #**135** 10-26-2008, 05:31 AM

Quote:

Originally Posted by sunset

Hi Guys.

My store was exploited too. Livecounter and that hostracker was displaying in my mozilla status bar as my site was loading.

My host has been kind enough to check through some of my files and remove the iframe exploit & has changed my cpanel password.

I have scanned my computer here...and it appears that two cookies just wont go away.... "DoubleClick" and "Right Media". I am not game enough to go into my admin or cpanel for fear of them tracking me on my computer.

I'm not too tech savvy...and i'm sitting here like a stunned mullet not knowing where or what to do next...actually I could cry...

The worst bit was that when i was seeing this load in the browser status bar, I got an email from a client, whose virus scanner detected something on my site. He was quick to mention the following:

"I am an experienced IT professional and wanted to let you know (just incase you don▓t) that your website contains malicious software which is trying to breach our computer via port 50244 each time we click on a link.
This doesn▓t really do much in the trust stakes for customers wanting to purchase online from your website. We do not feel safe providing our credit card details to purchase online.

Could I suggest forwarding this email to your website designers for action."

So a very embarrassing experience from my perspective.

I would be so greatful of any help.

Thanks guys.

You may want to give Spyware Detector a try. We use it on all the computers connected to our network along with other firewall/virus software.

sunset · #**136** 10-26-2008, 05:37 AM

Hiya Photo - thanks very much for that. I shall do it right now. cheers.

Steve-C · #**137** 10-26-2008, 06:42 AM

Just to add my 3 pennorth..

I couldn't log into c-panel last Friday or upload via FTP.

It turned out my password had been changed (not by me and no one else here has access).

The wierd thing is that the password was changed to the same password I use to log into Admin.

How / why would that happen?

tradedvdshop · #**138** 10-26-2008, 07:44 AM

Ok i have an update too have installed Logwatch on my server seems they have not given up i have had the following attempts again

authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:41.232.71.219 user=discworld: 8 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:41.232.243.187 user=discworld: 4 Time(s)

And this is everyday so far from the same ips

Ene · #**139** 10-26-2008, 07:46 AM

Hi,

My 2 cents.

Quote:

Support: i can not rely on any personal opinion as it would be the huge debate, but following method is most dangerous to use exec, passthru, unescape, base64, eval
Support: i can see many methods used on your sites
Support: also php has developed safe_mode - to prevent such issue, but it has been disabled due to the need of the application

Actually it is safe to use exec/passthru/base64/eval functions. It isn't necessary to enable PHP`s safe_mode option. But it isn't necessary to enable it and is safe to use these functions, only if your host is good and secure.

So good host doesn't disable 'base64' function. Good host just makes a secure environment in order to prevent hackers` attacks.

If host thinks "Hackers use base64 function in their PHP remote shells, lets disable this function!", it looks like "People can kill using knives, let forbid knives!"
: -)

Quote from http://www.mediawiki.org/wiki/Safe_mode :

Quote:

PHP's safe_mode is an ill-conceived, broken-by-design setting in PHP that is supposed to make broken scripts safe. It was deprecated in PHP5 and removed in PHP6

-----

Quote:

This issue is related to the x-cart software, no doubt about that.

Some facts.

1. Some X-Cart stores didn't post access info to the HelpDesk ever and they were hacked.

2. Not only X-Cart sites were hacked. See some links to the phpBB and webmasterworld forums.
Also:

* http://webhostplanet.org/please-help-about-this-iframe-wierd-iframe-live-counternet-hosttrackernet/
* http://www.vbulletinsetup.org/wordpress-isssue/

Why many X-Cart sites(>10 sites) were hacked? I have two ideas:

* because we have many clients, statistically some of them caught the virus that steals FTP passwords

* somehow 3d party developer cought the virus and all his clients were hacked.

-----

Dear recommended hosting providers, Emerson, Conor and others. I suggest to implement the following modification on your and our servers.

1. Special shell script will parse all FTP logs every day.
2. If script finds the many uploads of 'index.php, index.html, main.php, default.php' files from one IP, this script will send an email to the server administrator and add this IP to the firewall.
3. We will have special thread on this forum where we will be able to post such suspicios IPs for others to ban these IPs as well.

What do you think?

Ene · #**140** 10-26-2008, 07:51 AM

Also this X-Cart tool will help you to find out if your PHP scripts or templates are modified by hackers: http://www.x-cart.com/xcart_manual/online/?system_fingerprints.htm

If you see that some templates are modified and you didn't touch them -- it is time to check these files.