| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
Warning: Iframe based attacks using stolen FTP access info | ||||
|
|
Thread Tools |
#221
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Quote:
Interesting! Will check it out further. Will need to find a customer using one of these mods and ask for access to the admin side so I can test it out.
__________________
Emerson █ Total Server Solutions LLC- Quality X-Cart Hosting █ Recommended X-Cart Hosting Provider - US and UK servers █ Does your host backup your site? We do EVERY HOUR!!! █ Shared Hosting | Managed Cloud | Dedicated Servers |
|||||||
#222
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Hi folks,
I have just recently re-setup my x-cart store (actually in the process of getting it setup) and noticed this thread today. I wanted to comment that just last night I discovered one of my WordPress based sites had this exploit. The exploit was in one of the posts, a post that I had made on the site back in early 2007 (the site has not been updated recently). Almost daily I would get emails of spammers posting spam comments on the site, however I do not allow comments to go live until approved. I do not know how the exploit made it into my post as when building and accessing that site I only used a Mac. According to google (I had the warning show up when trying to access the site via Firefox) it claims my site is a source of an iframe exploit for 90 days. FTP is not enabled on this site, just SFTP. I edited the post last night to remove the iframe and the traffic code (yep, they were checking how many page views my site got as well). I have also set the blog to require a user be registered before being able to post and require all users to be approved for their registration. I expect the above steps will stop it on that site. I mention this only to confirm that it happens on non-x-cart sites as well. Non of the other sites on this server had been compromised. Dale
__________________
-- X-Cart 4.2, Fancy Categories, Affiliate |
|||||||
#223
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
I just got hit with an iframe attack at seashellshack.com
This is the destination [removed by mod] No one had access to my ftp although I have not yet applied the new security patch.
__________________
4.1.11 |
|||||||
#224
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Please don't post links that appear in hacked sites.
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
#225
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
It wasn't a link.
The "."s were replaced with "dot"s so everyone could use it to look for the problem on their sites. I might be a newb but I am not a complete idiot.
__________________
4.1.11 |
|||||||
#226
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
It actually was a link it probably just didn't go anywhere if you modified it - I removed it before I looked at it as other not so bright people HAVE posted the iframe's links in this thread.
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
#227
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
The Ip for my attacker is 67.238.189.236 out of winter park FL.
They injected iframes into all index, home, default and auth files plus admin/main, admin/admin/main, /include/include/login.php and more. Then he changed the config file to collect credit card #s, added his IP as an allowed administrator and then hid that page from me. This person is very familiar with xcart.
__________________
4.1.11 |
|||||||
#228
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
You have to wonder if that IP is part of this community and thru our discussions we are giving out info. That would totally suck. Anyway IP records for logins i assume can be gone through to verify if it exists so we aren't giving the hacker a home to watch us all.
Just a thought.... Anyways, I just got my sites all patched to the newest of security releases. I hope all is sealed up now for this and other forms of low life.
__________________
Regards, Dan X-Cart Gold Version 4.1.10 1 - One page checkout 2 - Image Generator 3 - CSDEO Pro 4 - Shop By Price 5 - Next - Previous 6 - On Sale 7 - Shop By Price 8 - Froogle & Google Base Feed 9 - Buy Together 10 - Customer Loyalty Points 11 - Customer Reward Points Customer Reward Points Referral Add-on 12 - Product Reviews 13 - Other Custom Modifications ---------------------- http://www.townsqjewelry.com/ http://www.eroticnights4u.com/ <---- Adult Oriented - Toys |
|||||||
#229
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
I just stumbled onto this thread. We were attacked on 10/8/08 by this same hacker. We noticed the insecure warning from IE. That was our first clue. I got on the phone right away with our server host and once I determined that files were changed, I closed down the web-site. Our host uploaded backup files to replace any that were changed, we changed all passwords and I shut down FTP access on our server. I rarely use FTP, so we are leaving it off for now. I usually work through CPanel file manager. Now that I know the extent of this, I am having our host run the SSH command from post #64 to make sure we didn't miss anything.
Has the source ever been figured out? I understand that we do not want to burn anybody at the stake, but I would like to know where the breech happened and if steps have been taken to help prevent this in the future.
__________________
v4.7.12 v5.4.x (In Dev) |
|||||||
#230
|
|||||||||
|
|||||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Hey all
Did anybody ever figure this out in the end? This is still happenening...
__________________
Richard Wraith WESH UK Hosting Tel: 0800 5 999 404 Web: http://wesh.uk ==================== UK Web Hosting with cPanel =========================== FREE I.T SUPPORT & REMOTE DESKTOP =========================== |
|||||||||
|
|||
X-Cart forums © 2001-2020
|