| ||||||||||
![]() |
Shopping cart software Solutions for online shops and malls | |||||||||
![]() |
![]() |
|
X-Cart Home | ![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
Warning: Iframe based attacks using stolen FTP access info | ||||
![]() |
|
|
Thread Tools |
#221
|
|||||||
|
|||||||
![]() Quote:
Interesting! Will check it out further. Will need to find a customer using one of these mods and ask for access to the admin side so I can test it out.
__________________
Emerson █ Total Server Solutions LLC- Quality X-Cart Hosting █ Recommended X-Cart Hosting Provider - US and UK servers █ Does your host backup your site? We do EVERY HOUR!!! █ Shared Hosting | Managed Cloud | Dedicated Servers |
|||||||
#222
|
|||||||
|
|||||||
![]() Hi folks,
I have just recently re-setup my x-cart store (actually in the process of getting it setup) and noticed this thread today. I wanted to comment that just last night I discovered one of my WordPress based sites had this exploit. The exploit was in one of the posts, a post that I had made on the site back in early 2007 (the site has not been updated recently). Almost daily I would get emails of spammers posting spam comments on the site, however I do not allow comments to go live until approved. I do not know how the exploit made it into my post as when building and accessing that site I only used a Mac. According to google (I had the warning show up when trying to access the site via Firefox) it claims my site is a source of an iframe exploit for 90 days. FTP is not enabled on this site, just SFTP. I edited the post last night to remove the iframe and the traffic code (yep, they were checking how many page views my site got as well). I have also set the blog to require a user be registered before being able to post and require all users to be approved for their registration. I expect the above steps will stop it on that site. I mention this only to confirm that it happens on non-x-cart sites as well. Non of the other sites on this server had been compromised. Dale
__________________
-- X-Cart 4.2, Fancy Categories, Affiliate |
|||||||
#223
|
|||||||
|
|||||||
![]() I just got hit with an iframe attack at seashellshack.com
This is the destination [removed by mod] No one had access to my ftp although I have not yet applied the new security patch.
__________________
4.1.11 |
|||||||
#224
|
|||||||
|
|||||||
![]() Please don't post links that appear in hacked sites.
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
#225
|
|||||||
|
|||||||
![]() It wasn't a link.
The "."s were replaced with "dot"s so everyone could use it to look for the problem on their sites. I might be a newb but I am not a complete idiot.
__________________
4.1.11 |
|||||||
#226
|
|||||||
|
|||||||
![]() It actually was a link it probably just didn't go anywhere if you modified it - I removed it before I looked at it as other not so bright people HAVE posted the iframe's links in this thread.
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
#227
|
|||||||
|
|||||||
![]() The Ip for my attacker is 67.238.189.236 out of winter park FL.
They injected iframes into all index, home, default and auth files plus admin/main, admin/admin/main, /include/include/login.php and more. Then he changed the config file to collect credit card #s, added his IP as an allowed administrator and then hid that page from me. This person is very familiar with xcart.
__________________
4.1.11 |
|||||||
#228
|
|||||||
|
|||||||
![]() You have to wonder if that IP is part of this community and thru our discussions we are giving out info. That would totally suck. Anyway IP records for logins i assume can be gone through to verify if it exists so we aren't giving the hacker a home to watch us all.
Just a thought.... Anyways, I just got my sites all patched to the newest of security releases. I hope all is sealed up now for this and other forms of low life.
__________________
Regards, Dan X-Cart Gold Version 4.1.10 1 - One page checkout 2 - Image Generator 3 - CSDEO Pro 4 - Shop By Price 5 - Next - Previous 6 - On Sale 7 - Shop By Price 8 - Froogle & Google Base Feed 9 - Buy Together 10 - Customer Loyalty Points 11 - Customer Reward Points Customer Reward Points Referral Add-on 12 - Product Reviews 13 - Other Custom Modifications ---------------------- http://www.townsqjewelry.com/ http://www.eroticnights4u.com/ <---- Adult Oriented - Toys |
|||||||
#229
|
|||||||
|
|||||||
![]() I just stumbled onto this thread. We were attacked on 10/8/08 by this same hacker. We noticed the insecure warning from IE. That was our first clue. I got on the phone right away with our server host and once I determined that files were changed, I closed down the web-site. Our host uploaded backup files to replace any that were changed, we changed all passwords and I shut down FTP access on our server. I rarely use FTP, so we are leaving it off for now. I usually work through CPanel file manager. Now that I know the extent of this, I am having our host run the SSH command from post #64 to make sure we didn't miss anything.
Has the source ever been figured out? I understand that we do not want to burn anybody at the stake, but I would like to know where the breech happened and if steps have been taken to help prevent this in the future.
__________________
v4.7.12 v5.4.x (In Dev) |
|||||||
#230
|
|||||||||
|
|||||||||
![]() Hey all
Did anybody ever figure this out in the end? This is still happenening...
__________________
Richard Wraith WESH UK Hosting Tel: 0800 5 999 404 Web: http://wesh.uk ==================== UK Web Hosting with cPanel =========================== FREE I.T SUPPORT & REMOTE DESKTOP =========================== |
|||||||||
|
|||
X-Cart forums © 2001-2020
|