X-Cart forums

[Jon]

First IP was Egypt and now their IP is Phoenix/US - some how I think the change didn't involve an airplane.

[gb2world]

FYI -
I'm trying to get as much reassurance as I can that this attack is centered only on adding the iframe to index files & not anything else. With Conor's help at Hands-On (they have been very responsive) - I've not only removed all the files with the Iframe "live-counter" code in them - but I've also reviewed every file modified since the Oct 7-8 time frame. I did find a few other files that were replaced - they did not have the iframe code, but someone did modify them on Oct 8th. I also checked the database. I looked at the xcart_config table and did not find anything unusual. Also looked at the xcart_customers table in case there were any unknown accounts added. I have not been able to find any other hack attempts. So - hopefully the attack was not targeting X-CART - they may not have been trying to exploit XCART specifically - instead, just trying to spread their virus using the index files. (fingers crossed).

For me - a few files were updated on the 8th. On the 18th, an empty index file at the root was uploaded. Then, on the 22nd, a couple of other files were modified with the iframe code.

[pauldodman]

Hi Emerson,

Yes that is exactly what I've seen - just got another one this morning reported to me - an Australian site this time. Further, which I've not seen before, this one I am being told:
"there is a message about a Trojan coming up - JS/Kryptik.B Trojan is the threat."

[verbic]

Hello,

My name is Dmitry Verbichenko I'm Qualiteam's CIO. Thank you for brining this issue to our attention.
We already did some preliminary investigation and so far did not find any signs that HelpDesk or other corporate systems were compromised.
However to be absolutely sure we need some assistance from you.
Balinor, pauldodman, Emerson, gb2world or anyone who experienced or witnessed such incidents could you please PM me company name or license URLs of shops that were compromised. We will do close inspection of their HelpDesk accounts for suspicious activity or other signs of compromise.
Thank you in advance.

[Dongan]

Hi Guys,

One of our clients faced the problem.

Here is the issue history:

Iframe is added in index file on Oct 8th (the site it refers is live-counter.net). We traced the log and it was from Egypt. We cleaned up and changed the FTP passwords and other details. Run the scan and it was ok.

Again Oct 20th, again affected. The hosting team traced the IP , the report is "the only IP uploading today has been: 79.133.83.154 via FTP."

We cleaned up and changed all the passwords.

Let's see what happens in coming days. We are still investigating.

If anyone finds solutions/information, please share here.

[BCSE]

You guys may want to review this article as well. Our client found it on the zlob virus.

http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html

Carrie

[verbic]

Quote:

Originally Posted by Dongan

Hi Guys,
One of our clients faced the problem.

Hello Dongan,

Can you please PM me the name of the client who had this issue as it is written in our HelpDesk so I can identify his account.

Quote:

Originally Posted by Dongan

Hi Guys,
Again Oct 20th, again affected. The hosting team traced the IP , the report is "the only IP uploading today has been: 79.133.83.154 via FTP."

This is our corporate proxy. Are you sure that your client did not interact with our support team that day?

[Dongan]

Quote:

Originally Posted by verbic

Hello Dongan,

Can you please PM me the name of the client who had this issue as it is written in our HelpDesk so I can identify his account.



This is our corporate proxy. Are you sure that your client did not interact with our support team that day?

Hi,

Sent you a PM.

[tradedvdshop]

Hi,
Guys i have just had my ftp accessed as well they have done the same installed the iframe on my index pages.

Nightmare!!!

[tradedvdshop]

Quick update
We have done a scan on our server and there is loads all directing to live-counter.net