Warning: Iframe based attacks using stolen FTP access info

shellshack · #**211** 11-20-2008, 06:31 AM

My site does not seem to be infected but when I scanned it for "iframe" it came up with 2 files with the term iframe in them.

payment\cc_eselect.func.php

{ $r['no_iframe'] = 'Y'; $r['form_url'] = $acsurl; $r['form_data'] = array( "PaReq" => $pareq, "MD" =>

main\category_selector.tpl

var layer = document.getElementById('iframe');
setTimeout("hideTitle('iframe');", 3000);

No files contained live-counter or hosttracker. Is this a problem or is this standard code.

www.seashellshack.com

I am currently building the site and a couple of days ago as I was loading xcseo I got a 505 server error and the log files showed some different sites including one in Arabic. I deleted everything and started over and it went away.

ambal · #**212** 11-20-2008, 10:20 PM

Quote:

Originally Posted by shellshack

...
Is this a problem or is this standard code.
...

This is standard code of a payment gateway integration module.

shellshack · #**213** 11-21-2008, 05:08 AM

Thank you.

bigredseo · #**214** 11-28-2008, 08:17 PM

Hello Folks,

Just wanted to add a new report here to this thread. We just discovered a website on one of ourservers running version 4.1.5 of X-Cart Gold that has been exploited and used for a mass mailing campaign. The script attempted to send more than 3500 messages in the course of 30 minutes when our system admins noticed the issue and shut down the site.

On further review of the site we found an iFrame code linking to "traffone.cn/in.cgi?27" which, after looking through google just for "traffone.cn" we find a number of websites that were also exploited with the same code. I have not clicked the links in google as it is not clear if x-cart was scanning code, or if it was reports on websites with that link.

Either way, just wanted to comment that we have had another incident on our network with file dates of 00:43am CDT on 11/27/2008. Execution of the mass mailing was not run until today (11/28/200

at approx 10:30pm CDT.

ambal · #**215** 11-30-2008, 10:19 PM

Quote:

Originally Posted by handsonwebhosting

On further review of the site we found an iFrame code linking to "traffone.cn/in.cgi?27" which, after looking through google just for "traffone.cn" we find a number of websites that were also exploited with the same code. I have not clicked the links in google as it is not clear if x-cart was scanning code, or if it was reports on websites with that link.

Conor, thank you for reporting this. I viewed google search results for "traffone.cn/in.cgi?27" in brief without actual clicking on links provided (just read search descriptions in Google's SERP for that phrase) and I could notice that various web-sites on different platforms were hacked. Also, there were several links to topics at discussions forums devoted to other e-commerce and CMS platforms. This confirms that the reason is not in our HelpDesk or in our software products. Taking in account all of the above it can be either a trojan in some FTP client software, a keylogger trojan or (which is worse I believe) an unknown security hole in some web-server software which "usage" grants appropriate rights to change files on file system of a server. Unfortunately, I couldn't find any description of a solution for this problem yet.

exsecror · #**216** 12-01-2008, 04:09 AM

If you have access to your full Apache configuration, and are running Apache >= 2.0 (which you should be, security wise it is unsafe to be running 1.3). Then you can use the following done by the Prometheus Group that filters out all iframe tags from pages as they are delivered:

Note: This requires mod_ext_filter to work so ensure that you have it available to you and enabled in your configuration otherwise this will not work.

http://www.gotroot.com/downloads/ftp/iframe/

Emerson · #**217** 12-01-2008, 05:14 AM

This would break many mods by firetank as I believe they use iframes.

exsecror · #**218** 12-01-2008, 06:34 AM

Quote:

Originally Posted by Emerson

This would break many mods by firetank as I believe they use iframes.

Ah that could be a problem then (we don't use anything using iframes for various usability reasons).

Emerson · #**219** 12-01-2008, 07:31 AM

Yup, that was the first thing I wanted to do(disable iframes) when this started happening but it would break too many things unfortunately

pauldodman · #**220** 12-01-2008, 07:38 AM

From what I can make out of the txt file, it'll strip out any hidden iframes those with 0 width and/or height or with the "hidden" attribute.
Would that then affect Firetank mods? Anything visible, and therefore possibly genuine, would be ok.