X-Cart forums

[TWS Accessories]

Quote:

Originally Posted by gb2world

When you say WHM - I am not sure if you are including your database passwords. If not - it is advisable to change those as well. Your config.php file has your db passwords in it and if someone had access to your site - they could have picked them up.

There have been no database exploits reported in this thread, but best to be safe.

It is really not advisable to go through your files one by one. Not only is it time consuming - it is inefficient. You could miss something. Talk to you host about the scripts in post 64 + the added advise in post 143. Also, send the last bit of advise (after "Dear recommended hosting providers") from Ene in post 139 to your hosting provider and see if they can implement that.

I have my web guy looking into this for me. So far no repeat attacks, I've changed all passwords so far. WHM is the software that controls the server. I run my own.

[gennarof]

The files on my server that were hacked in this way were limited to the mm_ bla bla bla.php files associated with firetank software. Cleaned the files many times and replaced them on the server and everything would run fine for a while then bam... Same text added to end of file echo ..... bla bla bla.. then firetank Marketing Manager software wouldn't run without errors attributable to the two hacked files. Each time I cleaned the files marketing manager would run for a while then give me an error message
Bear In mind that I almost always use CoreFTP lite to FTP up to MY Server

Here is how I solved my problem.

Scanned server found no trojans no virus's.

Scanned pc hard drive picked up a few small files with addware no virus's.

changed ftp passwords. FTP'd to site cleaned two files, ran marketing manager on and off for about 20 min.... then problem returned..

did this same thing four of five more times with very similar experience. Only the last time I did this I got an error message while ftp"d to the server.. The message looked to me to be partly in an asian language. Strange to me so I repaired the files again and everything worked ok for a while then hacked file again.

As I said before, Normally I used CoreFTP lite to ftp up to the server.

What I did to edit the bad line of code from the two hacked files was ftp'd up to the server using WS_FTP Pro. Ran marketing manager software multiple times for most of the day no problems..

Signed on to the server with CoreFTP lite searched a few directrories and about 10 min later ran Marketing manager software and it was corrupt. Closed CoreFTP lite and went back up to server using WS_FTP Pro, edited bad lines of code out of two files. saved them and then exited.

Since I have not used CoreFTP lite, the marketing manager software has run flawlessly.

SO FOR THOSE THAT HAVE THE PROBLEM IT MAY BE COMMING FROM THE FTP CLIENT YOU ARE USING.. IF IT IS Coreftp lite I can almost assure you that it is the problem. I am still running the firetank software and have not had a repeat of the problem since I have not invoked Coreftp lite. So for me it seems that whatever is hacking my files is doing it through the FTP client CoreFTP lite only when I load the software to ftp up to the server. It is not happening with WS_FTP Pro.

Hope this helps some of you...

[DogByteMan]

WOW!!! Like I didn't even know this was going on until now..... Ahhhhh it's nice to have Emerson watching my back. Best #@%^ host I ever had.

[BCSE]

My client that wants to remain anonymous wants this posted just for everyone's information.

Quote:

Two weeks ago, a google search for live-counter.net yielded only four links. Today, that same search links to 269 references for live-counter.net, most websites that appear to be infected with the iframe command.

I would have to agree with this observation. When this first came out, only a few sites showed up in google as being infected and having this code embedded and now it is a significant amount more.

Carrie

[sandyscloset]

Our hack was discovered today by a friend who was surfing using Google's Chrome browser. A warning came up on his screen that our site was infected with hosttracker.net malware so he emailed me. I contacted EWD Hosting and Emerson did his usual exceptionally efficient job of confirming the problem then sanitizing the site. We have changed our FTP password. So this is still an ongoing problem.

[Acquamarina]

Hi,
My site was infected a few weeks back. Emerson took care of it (can't thank him enough). It was a surprise for me as I have all security programs up to date and am very careful. I also run scans all the time. Today I received an update from Windows and when I rebooted the computer, the following link was on the "Malicious Software Removal for Windows"

http://www.microsoft.com/security/portal/Entry.aspx?name=Backdoor%3aWin32%2fHaxdoor

My up to date expensive virus protection failed to protect my pc and to discover this problem after several upgrades and scans. I urge everyone on a PC with Windows to download this latest upgrade from Microsoft.

[pauldodman]

Hi Sandyscloset

Can you confirm that the hack itself is new, or just the discovery? Did Emerson say when the files had been hacked at all? Just wondering (hoping) that it's been there a while and has only just been discovered.

[sandyscloset]

Hi Pauldodman the discovery was new. Emerson didn't say when the hack occurred but he's welcome to post here any details as he knows them. Whatever can help others is fine with me. Emerson?

[balinor]

Just read this thread over in the LC forums - appears the Qualiteam logins were compromised there. Still wonder exactly what was compromised over there and if that had anything to do with this issue?

http://forum.x-cart.com/showthread.php?t=41296

[Jon]

My assumption based on limited knowledge is that the x-cart staff are using the same logins on each store. Somebody who had work done on their store, could decrypt the password x-cart is using to access their store, and subsequently use it on the sites of others.