Warning: Iframe based attacks using stolen FTP access info

finerpeter · #**201** 11-18-2008, 12:07 PM

Quote:

Originally Posted by balinor

Just read this thread over in the LC forums - appears the Qualiteam logins were compromised there. Still wonder exactly what was compromised over there and if that had anything to do with this issue?

http://forum.x-cart.com/showthread.php?t=41296

This is quite disturbing to know.

It seems that my suspicions, shared by others, at the start of this thread were not so far off.

sandyscloset · #**202** 11-18-2008, 01:00 PM

I have been communicating with Xcart's Help Desk about this and they keep shifting the blame to us. Except my PC scanned clean using Spybot S&D immediately after Emerson cleaned up my server files. I also followed through and checked the C disk and only found our local IP address. To satisfy Xcart I downloaded AVG this morning and ran a full scan which again tested negative. So it was only the server files that were infected and that matches this theory.

Xcart did upgrade work for us that stretched literally into weeks from the time they were given our C panel password until the work was completed. I accept responsibility for failing to change the password but it took so long that I simply forgot. Has anyone had this issue that has not had Xcart do work for them?

Asiaplay · #**203** 11-18-2008, 08:51 PM

Sandyscloset,

I do know of one forum member who has never used Qualiteam and got this problem - it appears they have only ever used one 3rd party mod supplier (know is not what you wanted to hear, as that would have narrowed down the options of where leak came from).

So the leak must be more than one place (unfortunately) - unless everyone has used that 3rd party supplier (and I do not want to point fingers - as I am sure they would not have leaked it on purpose and would have fixed any issues now if had any... and still not certain they are the basis of the leak anyway).

We have used Qualiteam before and did not get any problem ourselves - however as soon as this issue came up we made very sure to change every password we had ever given to them (to be on the safe side - and I should add our site is still htaccess locked off - so that might be related as well).

As one forum member indicated - CoreFTP software seems to be playing a part... make sure you are not using that software for FTP is one step forward perhaps.

Cheers - Asiaplay

ambal · #**204** 11-19-2008, 12:07 AM

Quote:

Originally Posted by balinor

Just read this thread over in the LC forums - appears the Qualiteam logins were compromised there. Still wonder exactly what was compromised over there and if that had anything to do with this issue?

http://forum.x-cart.com/showthread.php?t=41296

I just want the community to know: our HelpDesk wasn't compromised. Source of leak is somewhere else, but not in the HelpDesk.

balinor · #**205** 11-19-2008, 03:21 AM

HI Alex, perhaps you can clarify exactly where the leak was, and how it affected LC clients but not X-Cart clients?

ambal · #**206** 11-19-2008, 04:10 AM

Quote:

Originally Posted by balinor

HI Alex, perhaps you can clarify exactly where the leak was, and how it affected LC clients but not X-Cart clients?

That was about default passwords in LC admin. We sent a security warning about that problem to all LC users a couple of months ago. The LC issue had no impact on X-Cart. That's why we didn't hear X-Cart users complaining about the same here.

I do confirm one more time that the HelpDesk wasn't compromised.

FTP/SSH passwords can be stolen using numerous ways and it is hard to point to exact source at the moment. E.g. it can be malicious abuse of an undiscovered hole in some software used along with ours on servers or new spyware which antiviruses do not know yet.

We have tens thousands clients worldwide. If a very small per cent of them in different parts of the world suffer from the same we will see tens people speaking about the same issue here. As result it can create some sort of "image" in minds of others who read this forum topic. I do not want to say that there is no problem. I want to say that the HelpDesk wasn't compromised!

balinor · #**207** 11-19-2008, 04:48 AM

Thank you for the clarification - just a little worried that the source of this 'outbreak' still hasn't been discovered.

sandyscloset · #**208** 11-19-2008, 05:54 AM

We just closed our ticket with Xcart's Help Desk. They wanted access to our server files again and that's not happening.

One friend's website left Xcart last weekend. We are following by the end of the month. (Lousy timing with the holiday rush). I want to publicly thank Balinor and Emerson for their outstanding customer service and dedication to the Xcart community. Thank you gentlemen it's been a pleasure and honor. Emerson I'll be in touch with communication about our move.

ambal · #**209** 11-19-2008, 06:15 AM

Quote:

Originally Posted by sandyscloset

We just closed our ticket with Xcart's Help Desk. They wanted access to our server files again and that's not happening.

One friend's website left Xcart last weekend. We are following by the end of the month. (Lousy timing with the holiday rush). I want to publicly thank Balinor and Emerson for their outstanding customer service and dedication to the Xcart community. Thank you gentlemen it's been a pleasure and honor. Emerson I'll be in touch with communication about our move.

It's really sad to see this. I reviewed the ticket you created in the HelpDesk and all I can repeat is that the HelpDesk wasn't compromised. Unfortunately there is no one exact source which we can point to, so it is hard to persuade people that we are not the source for this leak.

Acquamarina · #**210** 11-19-2008, 09:42 AM

Hi, Sandyscloset,

I too had the site infected, and Emerson was wonderful and got rid of it. I did the same you did, scanned my computer with PC-cillin, and found no problem. However, and that is a big one, 2 weeks later I get this update from Windows that just took over and updated with great emergency, scanned the computer and informed me it had found a trojan that was missed by PC-Cillin which is always up to date. I also scan twice a week.

I posted this a while back - here:http://forum.x-cart.com/showpost.php?p=236166&postcount=196

Today I was doing some checking on Google Webmaster Tools, Crawl stats and went to see a cached page on my site - the security software would not let me open the page!!! If a pc was infected it might be re-infected by visiting a Google cached page, I assume.

Is that correct? Is this infection still live in cached pages? The other thing I noticed is the home page listed on Google results had the https address instead of the regular http.

Is there anything that can be done to remove the infected cached pages from Google without destroying all the hard work I did? It must have indexed the site right at the time of infection.