Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

Warning: Iframe based attacks using stolen FTP access info

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #151  
Old 10-27-2008, 03:50 PM
 
manolodf manolodf is offline
 

Advanced Member
  
Join Date: Jun 2003
Posts: 50
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Good Point as well, Perhaps one of the recommended hosts or qualiteam care to gather information?
Reply With Quote
  #152  
Old 10-27-2008, 03:53 PM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Yea, the last thing we need here is a witch hunt. I highly doubt this was on purpose, and the person who started this whole thing may not even know they did.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #153  
Old 10-27-2008, 07:25 PM
  Jon's Avatar 
Jon Jon is offline
 

X-Guru
  
Join Date: Oct 2002
Location: Vancouver, Canada
Posts: 4,200
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Agreed that we don't want a witch hunt and don't want to target somebody for the purpose of reprimanding, but if there is a hole it needs plugging!
Reply With Quote
  #154  
Old 10-28-2008, 02:24 AM
 
RealCarAudio RealCarAudio is offline
 

Member
  
Join Date: Oct 2008
Posts: 14
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

If anybody has php.ini files on their account you may want to make sure these were not changed. I recall my clients php.ini file being changed but can not remember exactly what the change was that they made.

Also, as I stated before, please make sure your webhost scans files that are in your directories that are located before public_html, as I know when my client got hacked, they placed the iframes also in their stat programs pages.

These are usually located in the /home/yourusername/tmp/ directories.
__________________
Thank You,
RealCarAudio

X-Cart Gold ver 4.1.11
Reply With Quote
  #155  
Old 10-28-2008, 06:37 AM
  pauldodman's Avatar 
pauldodman pauldodman is offline
 

X-Guru
  
Join Date: Jul 2003
Location: Spain / UK
Posts: 3,060
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I was speaking to Clook about it - they found this:

How it's done
This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no differ ence.
After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!

This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.
__________________
Paul Dodman
e-business & m-commerce consultant
w: www.luminointernet.com
e: xcart@luminointernet.com

Professional X-Cart help, advice, support and services, specialists in Mobile X-Cart.
Reply With Quote
  #156  
Old 10-28-2008, 07:44 AM
  photo's Avatar 
photo photo is offline
 

X-Wizard
  
Join Date: Feb 2006
Location: UK
Posts: 1,146
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by pauldodman
If the innocent visitor has an ftp or root password for any internet sites,

Are you talking about passwords that are saved in your browser?
__________________
v4.1.10
In Dev v4.5.x


"If you don't keep an eye on your business, someone else will."
Reply With Quote
  #157  
Old 10-28-2008, 07:48 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Saved in your FTP software?
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #158  
Old 10-28-2008, 07:52 AM
 
Emerson Emerson is offline
 

X-Man
  
Join Date: Mar 2004
Location: Atlanta, GA
Posts: 2,209
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

If it is a keylogger the password does not have to be saved.
A Keylogger does just that, logs your key strokes so as you are typing everything is being logged then sent to it's destination(the hacker).
__________________
Emerson
Total Server Solutions LLC- Quality X-Cart Hosting
Recommended X-Cart Hosting Provider - US and UK servers
Does your host backup your site? We do EVERY HOUR!!!
Shared Hosting | Managed Cloud | Dedicated Servers
Reply With Quote
  #159  
Old 10-28-2008, 10:35 AM
  pauldodman's Avatar 
pauldodman pauldodman is offline
 

X-Guru
  
Join Date: Jul 2003
Location: Spain / UK
Posts: 3,060
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I didn't actually write that info - I'm just pasting what I was sent - and I'm thinking that Clook got that from somewhere else too.
__________________
Paul Dodman
e-business & m-commerce consultant
w: www.luminointernet.com
e: xcart@luminointernet.com

Professional X-Cart help, advice, support and services, specialists in Mobile X-Cart.
Reply With Quote
  #160  
Old 10-28-2008, 12:20 PM
 
TWS Accessories TWS Accessories is offline
 

eXpert
  
Join Date: Sep 2004
Posts: 236
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Hello,

Several of my sites have been hacked. What do I do? Is this something you guys can help with? I am not sure what the severity is but I just found out because the hack has loaded these two bits of code into a few noticeable files and has uploaded this page onto my site REMOVED

They have installed this bit of code:

REMOVED BY MOD

Can you help? what do I do?
Reply With Quote
Reply
   X-Cart forums > News and Announcements



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 04:43 PM.

   

 
X-Cart forums © 2001-2020