| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
Warning: Iframe based attacks using stolen FTP access info | ||||
|
|
Thread Tools |
#241
|
|||||||||
|
|||||||||
Re: Warning: Iframe based attacks using stolen FTP access info
The ones that we saw were not FTP related. They were script related. Older outdated scripts, forum scripts, blogs, older versions of X-Cart etc etc. It was not a compromise of the client's passwords or FTP, from what we've seen it's strictly program/script related.
__________________
Conor Treacy - Big Red SEO - @bigredseo Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding! If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet. Omaha SEO Office with National & Local SEO Services Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance |
|||||||||
#242
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Thank you Conor. The early IFrames attacks were breeches in FTP using username and password. We have disabled FTP access due to being hacked this way.
__________________
v4.7.12 v5.4.x (In Dev) |
|||||||
#243
|
|||||||||
|
|||||||||
Re: Warning: Iframe based attacks using stolen FTP access info
We actually never had any of our IFRAME attacks done through the FTP - they were all script exploits. Will have to keep an eye out for some of that I guess - haven't seen anything done that way as of yet anyway.
__________________
Conor Treacy - Big Red SEO - @bigredseo Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding! If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet. Omaha SEO Office with National & Local SEO Services Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance |
|||||||||
#244
|
|||||||||
|
|||||||||
Re: Warning: Iframe based attacks using stolen FTP access info
We have seen a bunch if IFrame attacks but these were all done via an FTP exploit, and happened to one customer of ours who builds x-cart based websites, and it happened to every store they built, all in the space of 1 day.
We had to secure their hosting accounts then remote desktop into the customers computers and remove the viruses on their PC's which were uploading viruses and other nasties using any FTP connection found on the PC's. Was a nightmare for them to have every store compromised in 1 day, but its times like that, regular offsite backups come in really handy!
__________________
Richard Wraith WESH UK Hosting Tel: 0800 5 999 404 Web: http://wesh.uk ==================== UK Web Hosting with cPanel =========================== FREE I.T SUPPORT & REMOTE DESKTOP =========================== |
|||||||||
#245
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
I was hacked on 7/6/09, all my index.php, home.php were changed, my site is new, so it was easier to spot the files changed since I did not work on them that day. I also discover there was a virus in my PC which was not picked up by the antivirus, but was able to remove with AVG anti-rootkit.
The virus was not in my system no longer than 2 days. I believe this virus is related to this issue since my computer was having problems around this date. the files picked up: Path: C:\Windows\System32\drivers\MSIVXjoevvtideftywmffu mitipxlcpgecuyf.sys Description: Hidden driver filePath: C:\Windows\System32\drivers\MSIVXjoevvtideftywmffu mitipxlcpgecuyf.sys Description: Hidden FilePath: C:\Windows\System32\MSIVXcount Description: Hidden FilePath: C:\Windows\System32\MSIVXcsiowexpxmydnbpnyqjcobywt myuytne.dll Description: Hidden FilePath: C:\Windows\System32\MSIVXcwdnrvsthgsiolbctqqomernh exsgpcj.dll Description: Hidden File you might also find a folder c:\program files\sys\
__________________
Core version: 5.3.2.7 PHP: 5.6.29 MySQL server: 5.5.5-10.0.27-MariaDB-cll-lve (InnoDB engine support enabled) Web server: Apache Operating system: Linux XML parser: found GDLib: found (0) Translation driver: Database Curl version: 7.29.0 |
|||||||
#246
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Add me to the list. We got hacked.
So, my question is this... How do I fix it? I examined all the files in the entire site named "home" or "index" and removed the <iframe> lines from the files and then uploaded them again. However, there is still a page affected somewhere. The only place I am having a problem is on my admin/home.php page. When I view the page source through a browser I still see the <iframe> line. I can't find any files that still have that line in it though. Can anyone tell me what specific files I should be looking for?
__________________
Version 4.0.19 |
|||||||
#247
|
|||||||||
|
|||||||||
Re: Warning: Iframe based attacks using stolen FTP access info
You may want to download all the files on your site, and use a search tool to find any references to "iframe" or the URL that they're pointing/pulling from.
Also, depending on your host, they should be able to run this query quickly for you. We've done it a number of times for our customers and we ran routine checks on our servers for the exploits as they came up. Contact your host, they should be able to tell you what file it's located in.
__________________
Conor Treacy - Big Red SEO - @bigredseo Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding! If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet. Omaha SEO Office with National & Local SEO Services Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance |
|||||||||
#248
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
On the store I set up for a friend of mine,,lately Ive been seeing 1 person off and on with the same first and last name I checked the log in to check each person out and it was just a bunch of junk entererd in for city,state,email, phone etc,I got their ip addresses and went in to Cpanel and banned the ip address for each one {5 total},,,each address is different and when I did a trace route one was from Ca, one from RU and one from Latvia,,,these people had gone into the store and were sitting in the gift certicate php, not sure if anything was going on but the store is running the same. One name was SConcucculp, another was igeieqfjqf909 and another was xrumer
|
|||||||
#249
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Hi all,
Has any solution ever been found to this iframe attack? We recently had our site attacked as our Web Designer's PC had all his ftp contacts stolen via what he has been told was the 'Gumbler' Virus. The site was restored from the Host, but it has gone down again with the same attack for the 3rd time today in week. The iframe code that has been added is: (iframe src="h-t-t-p-:-/-/-spzr.in:8-0-8-0/index.p-h-p" width=140 height=139 style="visibility: hidden")(/iframe) (I've changed the code slightly using () and - just incase this post gets infected!!! We use the recent version of LiteCommerce and our host isn't being much use (we use Provider One here in the UK) claiming that the virus/attack is still coming from the Designer's PC (he is now moved to a Mac so we're sure it's not him!!) Can anyone shed some light?
__________________
Version 2.2.35 |
|||||||
#250
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
I shut down our FTP to prevent this. Basic FTP is too vulnerable.
__________________
v4.7.12 v5.4.x (In Dev) |
|||||||
|
|||
X-Cart forums © 2001-2020
|