Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

Warning: Iframe based attacks using stolen FTP access info

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #111  
Old 10-24-2008, 02:05 AM
 
tradedvdshop tradedvdshop is offline
 

Advanced Member
  
Join Date: Jun 2007
Location: Kent UK
Posts: 30
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Anyone know if xcart support use a fixed ip address?
__________________
X-Cart version 4.1.3
Blank DVD Blank Cd Blank Media Dvd Case
http://www.discworlduk.co.uk


Reply With Quote
  #112  
Old 10-24-2008, 03:26 AM
 
verbic verbic is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 310
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Hello,

Last night and this morning we did a thorough investigation of our infrastructure and especially support HelpDesk. We did various checks including code sanitizing, log file analysis, virus scanning, analyzed traffic patterns etc. And did not find any signs of intrusion or security breach. Also some people from this forum confirmed that during the attack were used logins that they did not submit to our HelpDesk. Some of the affected clients had absolutely empty access list.
Although we found nothing we will do several prophylactic checks during next weeks.

We also had a chance to analyze the attack at one of our clients server. Most likely that this virus spreads in a worm-like fasion:

1.Virus installed on the computer it scans system for cached ftp login/passwords if there are some.
2. It sends discovered login details to the central server which processes them, connects the site using ftp access, scans web directory and infects index.html/php files.
3. People viewing infected sites and virus is installed on their computers. Some of them have cached ftp access details. Then the cycle repeats.
Attack was so successful because anitivirus companies included these viruses in their databases only Oct 20 - 22. So until then they run amok hitting unprotected systems.

Here are reports about similar incidents from the third parties:
http://www.webmasterworld.com/apache/3771650.htm
http://www.phpbb.com/community/viewtopic.php?f=46&t=1096195

Although the virus dropping site seems to be blocked now it will be a good idea to change ftp/ssh access details in case if they were harvested by virus.
__________________
Sincerely Yours,
Dmitry Verbichenko
Chief Information Officer

Last edited by verbic : 10-24-2008 at 04:35 AM.
Reply With Quote
  #113  
Old 10-24-2008, 08:24 AM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Hello Verbic,

Thank you for your update on the helpdesk issue - that will at least put our minds at ease regarding the Helpdesk being exploited.

The webmasterworld post I found last night, but due to having done a number of searches on their forum (without a user account) they then blocked my IP and required me to register/login. As a result I was unable to grab the thread. I do know that it was started on 10/23, so right in the same timeframe that we are dealing with. The other one on the phpBB is from an attack in July, so while similar, not current.

We continue making scans on our servers for our users, but with limited results.

Also, update on Quest - no response - STILL.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #114  
Old 10-24-2008, 08:47 AM
 
Emerson Emerson is offline
 

X-Man
  
Join Date: Mar 2004
Location: Atlanta, GA
Posts: 2,209
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Conor,

Yes, I had reported it to them yesterday and the day before. No word from them either.

For those of you that are looking for affected files it is not just index files they are editing.
I have seen /include/templater/plugins/modifier.default.php and also /Smarty-X.X.X/plugins/modifier.default.php tempered with.

If you think you have been hit your best bet is contact your host and have them scan your entire home directory for you. It is much easier and more effective that way.
__________________
Emerson
Total Server Solutions LLC- Quality X-Cart Hosting
Recommended X-Cart Hosting Provider - US and UK servers
Does your host backup your site? We do EVERY HOUR!!!
Shared Hosting | Managed Cloud | Dedicated Servers
Reply With Quote
  #115  
Old 10-24-2008, 08:55 AM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

We have also found ONE file with the "main.php" being compromised.

Basically any file with the following words are the likely targets:

INDEX, DEFAULT, MAIN

We've seen the following:
index.htm, index.html, index.php
default.html, default.html, default.php
modifier.default.php
main.php

If you are unable to find the files yourself, please contact your host and provide them the search commands as posted in post 64 here on the forums. They should be able to scan your site for any references to IFRAME and live-counter.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #116  
Old 10-24-2008, 10:03 AM
 
gargonzo gargonzo is offline
 

Senior Member
  
Join Date: Nov 2004
Posts: 171
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

folks -- ok, so if we have a server.. what do we do? I've checked via SSH for live-counter and its come back negative..

in the meantime -- what should be done to prevent intrusion..

just change the root passwords?

garz
__________________
xcart ver 4.xx/linux/php
Reply With Quote
  #117  
Old 10-24-2008, 10:08 AM
  BCSE's Avatar 
BCSE BCSE is offline
 

X-Guru
  
Join Date: Apr 2003
Location: Ohio - bcsengineering.com
Posts: 3,089
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by gargonzo
folks -- ok, so if we have a server.. what do we do? I've checked via SSH for live-counter and its come back negative..

in the meantime -- what should be done to prevent intrusion..

just change the root passwords?

garz

Change *ALL* passwords that relate to ftp and/or ssh, cpanel, plesk, etc. It would never hurt either to change X-cart admin passwords.

Make sure your X-cart security patches are installed (although this thread doesn't relate to any X-cart vulnerabilities, but we find so many many sites that let this go and do not patch in a timely manner).

Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002!

We support X-cart versions 3.x through 5.x!

Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more!


Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com

Please E-Mail us for questions/support!
Reply With Quote
  #118  
Old 10-24-2008, 10:08 AM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

If you've run that scan, then that's about all at the moment. You're not infected. Change the root passwords on the system and any passwords for FTP accounts etc just to be sure.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #119  
Old 10-24-2008, 01:08 PM
 
EN4U EN4U is offline
 

eXpert
  
Join Date: Feb 2008
Location: AZ
Posts: 379
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by Emerson
Navigate to the directory at C:\WINDOWS\system32\drivers\etc
In there you will see a file called "hosts".
Open it with notepad and make sure that no entries have been made there.

A stock, untouched file looks like the one below:


If you see any entry other then 127.0.0.1 localhost your computer has been compromissed.

By editing that file a hacker can make your browser point to an IP that is not actually the IP where that site is hosted.

For example. Lets say that yoursite.com is supposed to point to 11.11.11.11
A hacker can edit the hosts files and add the following entry:
22.22.22.22 yoursite.com

So when you type yoursite.com in your browser, you will actualkly be visiting the site at 22.22.22.22 and not 11.11.11.11
This can be used to to further collect any logins you try at that site, etc...

Scary, huh?

Im seeing this.... is this ok, as the second line worries me..

127.0.0.1 localhost
::1 localhost
__________________
Regards, Dan
X-Cart Gold Version 4.1.10

1 - One page checkout
2 - Image Generator
3 - CSDEO Pro
4 - Shop By Price
5 - Next - Previous
6 - On Sale
7 - Shop By Price

8 - Froogle & Google Base Feed
9 - Buy Together
10 - Customer Loyalty Points
11 - Customer Reward Points
Customer Reward Points Referral Add-on
12 - Product Reviews
13 - Other Custom Modifications
----------------------
http://www.townsqjewelry.com/
http://www.eroticnights4u.com/ <---- Adult Oriented - Toys
Reply With Quote
  #120  
Old 10-24-2008, 01:10 PM
 
Emerson Emerson is offline
 

X-Man
  
Join Date: Mar 2004
Location: Atlanta, GA
Posts: 2,209
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

that is ok
::1 localhost is for ipv6. Not to worry.
__________________
Emerson
Total Server Solutions LLC- Quality X-Cart Hosting
Recommended X-Cart Hosting Provider - US and UK servers
Does your host backup your site? We do EVERY HOUR!!!
Shared Hosting | Managed Cloud | Dedicated Servers
Reply With Quote
Reply
   X-Cart forums > News and Announcements



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 12:46 PM.

   

 
X-Cart forums © 2001-2020