Warning: Iframe based attacks using stolen FTP access info

tradedvdshop · #91 10-23-2008, 01:32 PM

Quote:

Originally Posted by manolodf

What I would do is grab a portable scanner like a portable Nod32 to run a quick scan, some viruses do make the effort to butcher the antivirus from updating, scanning, installing etc, that is why maybe running one from a USB drive might be a good bet to at least get a preliminary cleaning going. What FTP program do you use, and maybe was one of the quarantined files the FTP program or one of the access files that holds your FTP information? Perhaps a virus is targetting certain FTP programs and their information file, decrypting and sending them on your next attempt, just a guess

In fact that might be correct what ftp software is everyone who has been infected using, i am using filezilla?

Paul

tradedvdshop · #92 10-23-2008, 01:41 PM

Hi,
Right i have located the problem can anyone help i am getting the following error

Call to undefined function func_generate_joins() in /home/discworld/public_html/include/search.php on line 673

So i have located the file and it says this
$search_query .= func_generate_joins($joins);
$search_query_count .= func_generate_joins($joins_count);

$search_query .= " WHERE ".implode(" AND ", $where);
$search_query_count .= " WHERE ".implode(" AND ", $where);
if (!empty($groupbys)) {
$search_query .= " GROUP BY ".implode(", ", $groupbys);
$search_query_count .= " GROUP BY ".implode(", ", $groupbys);
}
if (!empty($having)) {
$search_query .= " HAVING ".implode(" AND ", $having);
$search_query_count .= " HAVING ".implode(" AND ", $having);
}
if (!empty($orderbys)) {
$search_query .= " ORDER BY ".implode(", ", $orderbys);
$search_query_count .= " ORDER BY ".implode(", ", $orderbys);
}

#
Any ideas what i need to do to solve it?

Acquamarina · #93 10-23-2008, 01:42 PM

I don't think it is targeting the ftp program. I will know better when the scan is over. It will take a little while as I am going to do an online based one too, just to be safe. Any recommendations? I thought I'd go with TrendMicro Housecall.

Acquamarina · #94 10-23-2008, 01:44 PM

I have more than one site on 2 servers and the other has not been compromised to my knowledge. Knock on wood!

Acquamarina · #95 10-23-2008, 01:50 PM

tradedvdshop,

Do you have a back-up of include/search.php? I solved the blank page by uploading a back-up copy if you have your ftp working.

tradedvdshop · #96 10-23-2008, 01:56 PM

YOU ARE A SAINT!!
That did the trick thanks mate now i can go home and get some sleep!!

Drinks are on me!

Acquamarina · #97 10-23-2008, 01:59 PM

Glad to be of help - have a great night!

Acquamarina · #98 10-23-2008, 02:27 PM

Windows urgent update:

http://news.cnet.com/8301-1009_3-10074072-83.html

bigredseo · #99 10-23-2008, 06:16 PM

Nice find Acquamarina. While I'm not one to normally share operating system information and what type of software or versions someone may be running, it might be an advantage in this case to provide details on what OS a user is running, what type of system was hacked, and what were the FTP versions, version of X-Cart, mods installed etc.

I don't know if that would HELP or HURT the situation though. We haven't seen any iframe attacks other than the one mentioned, and no ideas on how it was done other than a possible keylogger.

Other forums that I frequent are not reporting any new incidents of iFrame attacks either, so it sure seems limited to here on the X-Cart users from what I can tell.

bigredseo · #**100** 10-23-2008, 08:00 PM

We just found another intrusion on one of our servers where only two users are hosted. The intrusion was done on October 22 23:45 - AFTER our scan of the servers had been completed

We're re-running scans of servers again - whoever this is, they haven't given up this injection yet. And it's not from Egypt either - it's from Arizona, Phoenix. Starts with 71.38.x.x