Warning: Iframe based attacks using stolen FTP access info

bigredseo · #21 10-22-2008, 03:15 PM

Nothing has been found on our servers at this time. We currently have an iframe scan in process on 67 of our ecommerce servers - so far, no results other than this one incident.

The only thing I can comment on at the moment is that if this was a normal iFrame attack then it could have been caused by a keylogger or something of that nature. There's a mini article on the iframe incidents located here: http://forums.cpanel.net/showthread.php?t=78595

The only other information I can contribute is that in the case of this one user the iframe linked to "live-counter.net" - again something that Emerson had mentioned previously. A scan of our servers for that combination in ANY user files has not shown to be present.

EDIT: I was just informed that the URL I posted goes to a forum that requires you to log in to view the posts. I have a shortened version of the post at our KB posted here: http://billing.handsonwebhosting.com/knowledgebase.php?action=displayarticle&catid=11&i d=220

Donster · #22 10-22-2008, 03:45 PM

I went into my DirectAdmin panel. I changed my password in three locations:
1. DirectAdmin Account
2. Main FTP Account
3. Main Database Account

That locked users out of the site. Is that because I should not change the Main Database Account, and if so how would one change that properly?

bigredseo · #23 10-22-2008, 03:47 PM

did you remember to change the database password in the config.php file?

finerpeter · #24 10-22-2008, 03:48 PM

Make sure to change the database password in your config.php file.

EDIT: beat me to it Conor

Donster · #25 10-22-2008, 03:58 PM

I was not even aware of it being there. New site and x-cart folks installed it. But I opened the file and see where to make the change.

How often should this be done?

Donster · #26 10-22-2008, 04:00 PM

Y'all can smile cause when I browsed to our site and was locked out I had that "What the F!!!!" response, and corresponding flushed feeling of fear.

finerpeter · #27 10-22-2008, 04:00 PM

It's always a good thing to periodically change your passwords Donster. We deal with digital files so we rotate our passwords once a few weeks for added security.

balinor · #28 10-22-2008, 04:05 PM

And as a general rule, if you are allowing a third party to access your site, create a temporary account for them and delete it when they are done.

bigredseo · #29 10-22-2008, 04:42 PM

finerpeter

I just got lucky on the refresh I guess

As for how often to change files - personally, every 90 days. All our servers get passwords changed every 90 days, as do most of the sites I visit. It's too easy to hack passwords (especially ones that a person would make), so use a random password generator to make the passwords. Most passwords for scripts or logins should have a minimum of 8 characters and for added security even 12 or 16.

Just to follow up further on this iFrame issue we have so far scanned 126 of our servers and have not had any other references to the live-counter site. All our servers are scanned by ScanAlert and ControlScan for PCI Compliance, and neither have detected intrusions through the server end of things, so this exploit through iFrame is very VERY odd.

Emerson · #30 10-22-2008, 04:50 PM

Yes, Scanalert scans all our servers too and has not picked up anything.

The more I search the more bizare this whole thing looks.
I just finished scanning all 54 servers we have and It has only been a handful of sites affected. Very very odd indeed.