Warning: Iframe based attacks using stolen FTP access info

balinor · #**161** 10-28-2008, 12:25 PM

Good lord man, don't post the hack code or the link to your site here! You trying to infect the whole community? I have removed it. Contact your host, it is easiest for them to remove it. Change your FTP passwords ASAP as mentioned above. Read the threads above, they explain what you need to do, but it is much easier to have your host help with this.

TWS Accessories · #**162** 10-28-2008, 12:29 PM

Quote:

Originally Posted by balinor

Good lord man, don't post the hack code or the link to your site here! You trying to infect the whole community? I have removed it. Contact your host, it is easiest for them to remove it. Change your FTP passwords ASAP as mentioned above. Read the threads above, they explain what you need to do, but it is much easier to have your host help with this.

Oopse, sorry!

I am at softlayer dedicated support - do you think they can help if I create a ticket or this is something I should just call firetank or x-cart about?

any suggestion would help.

balinor · #**163** 10-28-2008, 12:30 PM

X-Cart and Firetank won't be able to help you quick enough - this is an emergency that needs to be addressed ASAP. Hopefully your host is a responsive one.

TWS Accessories · #**164** 10-28-2008, 12:33 PM

Quote:

Originally Posted by balinor

X-Cart and Firetank won't be able to help you quick enough - this is an emergency that needs to be addressed ASAP. Hopefully your host is a responsive one.

Well, I'm going to create a ticket now and have them look at it. Should I ask them to check anything specific?

balinor · #**165** 10-28-2008, 12:34 PM

Yes, you need to have them go through your whole site and remove the hack. Read the threads above, there are some specific commands that have been supplied by other hosts.

gravel · #**166** 10-28-2008, 12:38 PM

Man I can't believe this. I absentmindedly clicked on the impostercity link in the email notification from this thread and it opened in Firefox. I closed it immediately but I wonder if my computer is now infected. How do I check?

TWS Accessories · #**167** 10-28-2008, 12:39 PM

Quote:

Originally Posted by gravel

Man I can't believe this. I absentmindedly clicked on the impostercity link in the email notification from this thread and it opened in Firefox. I closed it immediately but I wonder if my computer is now infected. How do I check?

your computer won't be hacked. Just clear your cookies before you go to your x-cart sites.

balinor · #**168** 10-28-2008, 12:40 PM

That is what I was afraid would happen

Are you running anti-virus software? If so, run a scan asap and DO NOT log on to your site via FTP until you know you are clean.

Impostercity, you have no idea what you have done. Clicking on your site while infected downloads a keylogger on to any computer that accesses it. It has nothing to do with cookies, it is a VIRUS!

TWS Accessories · #**169** 10-28-2008, 12:41 PM

Quote:

Originally Posted by balinor

Yes, you need to have them go through your whole site and remove the hack. Read the threads above, there are some specific commands that have been supplied by other hosts.

OK so remove the hacks from all .PHP files and by hacks, you mean the hit-counter link and the other iframe link/code? That is all?

I will read the rest thank you.

gravel · #**170** 10-28-2008, 12:44 PM

How can I be sure? What about the quote below?

Quote:

Originally Posted by pauldodman

When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no differ ence.
After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected.