Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

Warning: Iframe based attacks using stolen FTP access info

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #211  
Old 11-20-2008, 06:31 AM
 
shellshack shellshack is offline
 

Member
  
Join Date: Oct 2008
Posts: 15
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

My site does not seem to be infected but when I scanned it for "iframe" it came up with 2 files with the term iframe in them.

payment\cc_eselect.func.php

{ $r['no_iframe'] = 'Y'; $r['form_url'] = $acsurl; $r['form_data'] = array( "PaReq" => $pareq, "MD" =>


main\category_selector.tpl

var layer = document.getElementById('iframe');
setTimeout("hideTitle('iframe');", 3000);

No files contained live-counter or hosttracker. Is this a problem or is this standard code.

www.seashellshack.com

I am currently building the site and a couple of days ago as I was loading xcseo I got a 505 server error and the log files showed some different sites including one in Arabic. I deleted everything and started over and it went away.
__________________
4.1.11
Reply With Quote
  #212  
Old 11-20-2008, 10:20 PM
  ambal's Avatar 
ambal ambal is online now
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,126
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by shellshack
...
Is this a problem or is this standard code.
...

This is standard code of a payment gateway integration module.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Reply With Quote
  #213  
Old 11-21-2008, 05:08 AM
 
shellshack shellshack is offline
 

Member
  
Join Date: Oct 2008
Posts: 15
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Thank you.
__________________
4.1.11
Reply With Quote
  #214  
Old 11-28-2008, 08:17 PM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Hello Folks,

Just wanted to add a new report here to this thread. We just discovered a website on one of ourservers running version 4.1.5 of X-Cart Gold that has been exploited and used for a mass mailing campaign. The script attempted to send more than 3500 messages in the course of 30 minutes when our system admins noticed the issue and shut down the site.

On further review of the site we found an iFrame code linking to "traffone.cn/in.cgi?27" which, after looking through google just for "traffone.cn" we find a number of websites that were also exploited with the same code. I have not clicked the links in google as it is not clear if x-cart was scanning code, or if it was reports on websites with that link.

Either way, just wanted to comment that we have had another incident on our network with file dates of 00:43am CDT on 11/27/2008. Execution of the mass mailing was not run until today (11/28/200 at approx 10:30pm CDT.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #215  
Old 11-30-2008, 10:19 PM
  ambal's Avatar 
ambal ambal is online now
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,126
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by handsonwebhosting
On further review of the site we found an iFrame code linking to "traffone.cn/in.cgi?27" which, after looking through google just for "traffone.cn" we find a number of websites that were also exploited with the same code. I have not clicked the links in google as it is not clear if x-cart was scanning code, or if it was reports on websites with that link.

Conor, thank you for reporting this. I viewed google search results for "traffone.cn/in.cgi?27" in brief without actual clicking on links provided (just read search descriptions in Google's SERP for that phrase) and I could notice that various web-sites on different platforms were hacked. Also, there were several links to topics at discussions forums devoted to other e-commerce and CMS platforms. This confirms that the reason is not in our HelpDesk or in our software products. Taking in account all of the above it can be either a trojan in some FTP client software, a keylogger trojan or (which is worse I believe) an unknown security hole in some web-server software which "usage" grants appropriate rights to change files on file system of a server. Unfortunately, I couldn't find any description of a solution for this problem yet.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Reply With Quote
  #216  
Old 12-01-2008, 04:09 AM
 
exsecror exsecror is offline
 

X-Wizard
  
Join Date: Apr 2007
Posts: 1,284
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

If you have access to your full Apache configuration, and are running Apache >= 2.0 (which you should be, security wise it is unsafe to be running 1.3). Then you can use the following done by the Prometheus Group that filters out all iframe tags from pages as they are delivered:

Note: This requires mod_ext_filter to work so ensure that you have it available to you and enabled in your configuration otherwise this will not work.

http://www.gotroot.com/downloads/ftp/iframe/
Reply With Quote
  #217  
Old 12-01-2008, 05:14 AM
 
Emerson Emerson is offline
 

X-Man
  
Join Date: Mar 2004
Location: Atlanta, GA
Posts: 2,209
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

This would break many mods by firetank as I believe they use iframes.
__________________
Emerson
Total Server Solutions LLC- Quality X-Cart Hosting
Recommended X-Cart Hosting Provider - US and UK servers
Does your host backup your site? We do EVERY HOUR!!!
Shared Hosting | Managed Cloud | Dedicated Servers
Reply With Quote
  #218  
Old 12-01-2008, 06:34 AM
 
exsecror exsecror is offline
 

X-Wizard
  
Join Date: Apr 2007
Posts: 1,284
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by Emerson
This would break many mods by firetank as I believe they use iframes.

Ah that could be a problem then (we don't use anything using iframes for various usability reasons).
Reply With Quote
  #219  
Old 12-01-2008, 07:31 AM
 
Emerson Emerson is offline
 

X-Man
  
Join Date: Mar 2004
Location: Atlanta, GA
Posts: 2,209
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Yup, that was the first thing I wanted to do(disable iframes) when this started happening but it would break too many things unfortunately
__________________
Emerson
Total Server Solutions LLC- Quality X-Cart Hosting
Recommended X-Cart Hosting Provider - US and UK servers
Does your host backup your site? We do EVERY HOUR!!!
Shared Hosting | Managed Cloud | Dedicated Servers
Reply With Quote
  #220  
Old 12-01-2008, 07:38 AM
  pauldodman's Avatar 
pauldodman pauldodman is offline
 

X-Guru
  
Join Date: Jul 2003
Location: Spain / UK
Posts: 3,060
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

From what I can make out of the txt file, it'll strip out any hidden iframes those with 0 width and/or height or with the "hidden" attribute.
Would that then affect Firetank mods? Anything visible, and therefore possibly genuine, would be ok.
__________________
Paul Dodman
e-business & m-commerce consultant
w: www.luminointernet.com
e: xcart@luminointernet.com

Professional X-Cart help, advice, support and services, specialists in Mobile X-Cart.
Reply With Quote
Reply
   X-Cart forums > News and Announcements



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 04:38 PM.

   

 
X-Cart forums © 2001-2020