Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

Warning: Iframe based attacks using stolen FTP access info

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #241  
Old 05-25-2009, 07:28 AM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

The ones that we saw were not FTP related. They were script related. Older outdated scripts, forum scripts, blogs, older versions of X-Cart etc etc. It was not a compromise of the client's passwords or FTP, from what we've seen it's strictly program/script related.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #242  
Old 05-25-2009, 07:55 AM
 
TA TA is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 303
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Thank you Conor. The early IFrames attacks were breeches in FTP using username and password. We have disabled FTP access due to being hacked this way.
__________________
v4.7.12
v5.4.x (In Dev)
Reply With Quote
  #243  
Old 05-26-2009, 09:32 AM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

We actually never had any of our IFRAME attacks done through the FTP - they were all script exploits. Will have to keep an eye out for some of that I guess - haven't seen anything done that way as of yet anyway.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #244  
Old 05-26-2009, 02:35 PM
  WESH(UK)'s Avatar 
WESH(UK) WESH(UK) is offline
 

Member
  
Join Date: May 2006
Location: London-UK
Posts: 26
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

We have seen a bunch if IFrame attacks but these were all done via an FTP exploit, and happened to one customer of ours who builds x-cart based websites, and it happened to every store they built, all in the space of 1 day.

We had to secure their hosting accounts then remote desktop into the customers computers and remove the viruses on their PC's which were uploading viruses and other nasties using any FTP connection found on the PC's.

Was a nightmare for them to have every store compromised in 1 day, but its times like that, regular offsite backups come in really handy!
__________________
Richard Wraith
WESH UK Hosting
Tel: 0800 5 999 404
Web: http://wesh.uk
====================
UK Web Hosting with cPanel
===========================
FREE I.T SUPPORT & REMOTE DESKTOP
===========================
Reply With Quote
  #245  
Old 07-08-2009, 07:30 AM
 
chilll33 chilll33 is offline
 

Senior Member
  
Join Date: Oct 2003
Location: Miami, FL
Posts: 100
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I was hacked on 7/6/09, all my index.php, home.php were changed, my site is new, so it was easier to spot the files changed since I did not work on them that day. I also discover there was a virus in my PC which was not picked up by the antivirus, but was able to remove with AVG anti-rootkit.

The virus was not in my system no longer than 2 days.

I believe this virus is related to this issue since my computer was having problems around this date.

the files picked up:

Path: C:\Windows\System32\drivers\MSIVXjoevvtideftywmffu mitipxlcpgecuyf.sys Description: Hidden driver filePath: C:\Windows\System32\drivers\MSIVXjoevvtideftywmffu mitipxlcpgecuyf.sys Description: Hidden FilePath: C:\Windows\System32\MSIVXcount Description: Hidden FilePath: C:\Windows\System32\MSIVXcsiowexpxmydnbpnyqjcobywt myuytne.dll Description: Hidden FilePath: C:\Windows\System32\MSIVXcwdnrvsthgsiolbctqqomernh exsgpcj.dll Description: Hidden File

you might also find a folder c:\program files\sys\
__________________
Core version:
5.3.2.7

PHP:
5.6.29
MySQL server:
5.5.5-10.0.27-MariaDB-cll-lve  (InnoDB engine support enabled)
Web server:
Apache
Operating system:
Linux
XML parser:
found
GDLib:
found (0)
Translation driver:
Database
Curl version:
7.29.0
Reply With Quote
  #246  
Old 07-15-2009, 06:10 AM
 
soleiletlune soleiletlune is offline
 

Newbie
  
Join Date: May 2007
Posts: 7
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Add me to the list. We got hacked.

So, my question is this...

How do I fix it? I examined all the files in the entire site named "home" or "index" and removed the <iframe> lines from the files and then uploaded them again. However, there is still a page affected somewhere. The only place I am having a problem is on my admin/home.php page. When I view the page source through a browser I still see the <iframe> line. I can't find any files that still have that line in it though.

Can anyone tell me what specific files I should be looking for?
__________________
Version 4.0.19
Reply With Quote
  #247  
Old 07-16-2009, 03:25 PM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

You may want to download all the files on your site, and use a search tool to find any references to "iframe" or the URL that they're pointing/pulling from.

Also, depending on your host, they should be able to run this query quickly for you. We've done it a number of times for our customers and we ran routine checks on our servers for the exploits as they came up. Contact your host, they should be able to tell you what file it's located in.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #248  
Old 07-16-2009, 04:52 PM
 
archer archer is offline
 

Newbie
  
Join Date: Oct 2007
Posts: 7
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

On the store I set up for a friend of mine,,lately Ive been seeing 1 person off and on with the same first and last name I checked the log in to check each person out and it was just a bunch of junk entererd in for city,state,email, phone etc,I got their ip addresses and went in to Cpanel and banned the ip address for each one {5 total},,,each address is different and when I did a trace route one was from Ca, one from RU and one from Latvia,,,these people had gone into the store and were sitting in the gift certicate php, not sure if anything was going on but the store is running the same. One name was SConcucculp, another was igeieqfjqf909 and another was xrumer
__________________
Ken
version 4.1.8
http://www.slidediver.com
Reply With Quote
  #249  
Old 08-07-2009, 03:22 AM
 
a1akane a1akane is offline
 

Newbie
  
Join Date: Sep 2008
Posts: 6
 

Unhappy Re: Warning: Iframe based attacks using stolen FTP access info

Hi all,
Has any solution ever been found to this iframe attack?
We recently had our site attacked as our Web Designer's PC had all his ftp contacts stolen via what he has been told was the 'Gumbler' Virus.
The site was restored from the Host, but it has gone down again with the same attack for the 3rd time today in week.
The iframe code that has been added is:

(iframe src="h-t-t-p-:-/-/-spzr.in:8-0-8-0/index.p-h-p" width=140 height=139 style="visibility: hidden")(/iframe)

(I've changed the code slightly using () and - just incase this post gets infected!!!

We use the recent version of LiteCommerce and our host isn't being much use (we use Provider One here in the UK) claiming that the virus/attack is still coming from the Designer's PC (he is now moved to a Mac so we're sure it's not him!!)

Can anyone shed some light?
__________________
Version 2.2.35
Reply With Quote
  #250  
Old 08-07-2009, 07:47 AM
 
TA TA is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 303
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I shut down our FTP to prevent this. Basic FTP is too vulnerable.
__________________
v4.7.12
v5.4.x (In Dev)
Reply With Quote
Reply
   X-Cart forums > News and Announcements



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 03:53 PM.

   

 
X-Cart forums © 2001-2020