Warning: Iframe based attacks using stolen FTP access info

BCSE · #**251** 08-07-2009, 08:21 AM

Just don't ever use FTP. It is completely insecure. If your hosts refuses to set up sFTP then you need to get another host. Most people don't understand that with FTP, your username and password are sent over the internet every time you connect to it. So those hosting companies that disconnect you every 5 minutes just make their hosting environment even more insecure as you have to reconnect all the time, sending your password even more times unencrypted (plain text) across the internet from your PC to the server. Anyone watching traffic on your PC or on the Server or the network in between could see your password in plain text.

We have only secure connections to our servers, including secure mail connections (secure pop or secure IMAP). It just reduces your risk this way. If you get a keylogger virus on your computer, they could still get into the server even with an sFTP connection, but your risk is lower using only secure connections to the server.

Sorry to hear about your troubles!

Carrie

sambamu · #**252** 08-07-2009, 10:33 AM

my site was hacked on 7/10/09 and was using version 4.2.

Pegasis · #**253** 08-23-2009, 02:31 PM

Same here hacked over and over..using all suggested htaccess and security settings!!!!

cflsystems · #**254** 08-23-2009, 04:26 PM

Did they hack the site or the hosting account?

bigredseo · #**255** 08-23-2009, 05:06 PM

Also, have you run the scans for the Grumblar virus? Maybe it's your computer that's infected and that is uploading the information to the server (we've see a lot of this).

Check out this article, and the link at the bottom of the article to get a free tool to remove any trojans or keyloggers. It's what I use on a DAILY basis on my own computers;
http://billing.handsonwebhosting.com/knowledgebase.php?action=displayarticle&id=220

Pegasis · #**256** 08-23-2009, 05:17 PM

Quote:

Originally Posted by cflsystems

Did they hack the site or the hosting account?

Still trying to figure this one out. I just got done with a fresh reload of all files and in less then 1 minute...hacked with iframes..

bigredseo · #**257** 08-28-2009, 01:36 PM

Did you scan your computer like I posted in the above link? you must make sure your computer (or any that has FTP access to your site) has a CLEAN server with no virus or trojans on it.

This is the most common iframe injection we're seeing - especially if it's happening within a short amount of time.

Riz · #**258** 09-08-2009, 07:10 PM

For everyone's information, Its not an Xcart problem. I have dozens of sites from Oscommerce and multiple other e-commerce platforms. The hacker compromised a local machine and stole the FTP passwords from Windows with a DLL hack that is a vulnerability in WIN2k, XP and Vista. It installed IFRAME tags with malicious urls in every directory I had on 4 servers it took a minute to fix. thank GOD no data was compromised. I got to the root of the problem, rectified the damage and just wiped out my stored passwords from my FTP program. DONT STORE PASWORDS IN FTP they can be decrypted and stolen right out of windows. Just dont use auto login and store encryted passwords in your FTP program.