Warning: Iframe based attacks using stolen FTP access info

bigredseo · #71 10-23-2008, 11:10 AM

There's two methods on the hosts list. While we don't use windows servers (only unix) and our staff mainly use Linux desktops, here's the deal on the windows hosts list:

The host (your web server guys) shoudl be checking that file for any anomilities, however the USERS file can also be affected:

http://en.wikipedia.org/wiki/Hosts_file

Basically the file should be BLANK or at a minimum, known IPs. These are generally used to speed up searches and destinations on the web. Some people edit this file when they are moving sites from one server to antoher and want to test things.

Anyway, the file shoudl be empty. Open the HOSTS file with Notepad and make sure the file doesn't have anything in it. If there's something in it, then esentially what it's doing is trying to reroute you to another location.

If for example it has "yahoo.com" and then an IP number beside it, then that's probably fraud. Delete the line, and let it pick up yahoo on it's own.

Emerson · #72 10-23-2008, 11:10 AM

Quote:

Originally Posted by pixellogo

Yes please I beg of you to elaborate more on that local computer check.

I'll do your laundry mate.

/me hands you some stinky socks

Manic · #73 10-23-2008, 11:17 AM

Quote:

Originally Posted by Emerson

Navigate to the directory at C:\WINDOWS\system32\drivers\etc
In there you will see a file called "hosts".
Open it with notepad and make sure that no entries have been made there.

A stock, untouched file looks like the one below:

If you see any entry other then 127.0.0.1 localhost your computer has been compromissed.

By editing that file a hacker can make your browser point to an IP that is not actually the IP where that site is hosted.

For example. Lets say that yoursite.com is supposed to point to 11.11.11.11
A hacker can edit the hosts files and add the following entry:
22.22.22.22 yoursite.com

So when you type yoursite.com in your browser, you will actualkly be visiting the site at 22.22.22.22 and not 11.11.11.11
This can be used to to further collect any logins you try at that site, etc...

Scary, huh?

Emerson, I opened my "hosts" file with notepad and only found this:
127.0.0.1 localhost

I am OK then?

bigredseo · #74 10-23-2008, 11:22 AM

Yes. If that's all that's in there, then you're fine.

tradedvdshop · #75 10-23-2008, 11:24 AM

Ok now i understand my pc is all ok thank god.

I have looked at the ftp log file and it seems they gained access on the 1st october the only work i have had done in this period was by xcart support???

Manic · #76 10-23-2008, 11:25 AM

Thank you!
But I guess I won't be doing any online banking until this whole thing blows over.

pixellogo · #77 10-23-2008, 11:27 AM

Thanks for that info Emerson.

None of our units are compromised, it's driving us crazy how this punk has gotten access...

I wouldn't be surprised if he is an X-Cart copy holder and he's monitoring this forum...

pixellogo · #78 10-23-2008, 11:28 AM

Quote:

Originally Posted by Emerson

/me hands you some stinky socks

*Peter trying to decide which Tide to use, with or without Febreeze... These are some stinky socks!*

Emerson · #79 10-23-2008, 11:54 AM

Quote:

Originally Posted by pixellogo

*Peter trying to decide which Tide to use, with or without Febreeze... These are some stinky socks!*

Might wanna go for pure bleach lol

As far as safe don't feel to safe if your hosts file has not been tempered with as there still could be other problems.

As far as I see there are only 2 ways here that this information has been obtained by the crooks

1. there has been a major security breach where a concentration on logins have been reached. This could be from a helpdesk of any developer that you have done business with and provided them with FTP login so they could work on your site.

2. Your computer is infected with a keylogger that is sending the login info to the hackers.

Until we find out for sure how they are getting these logins no one is safe unfortunately.

photo · #80 10-23-2008, 11:55 AM

Quote:

Originally Posted by Emerson

Navigate to the directory at C:\WINDOWS\system32\drivers\etc
In there you will see a file called "hosts".
Open it with notepad and make sure that no entries have been made there.

A stock, untouched file looks like the one below:

If you see any entry other then 127.0.0.1 localhost your computer has been compromissed.

By editing that file a hacker can make your browser point to an IP that is not actually the IP where that site is hosted.

For example. Lets say that yoursite.com is supposed to point to 11.11.11.11
A hacker can edit the hosts files and add the following entry:
22.22.22.22 yoursite.com

So when you type yoursite.com in your browser, you will actualkly be visiting the site at 22.22.22.22 and not 11.11.11.11
This can be used to to further collect any logins you try at that site, etc...

Scary, huh?

Just checked mine and it has the following two entries,

127.0.0.1 localhost
::1 localhost

is the 2nd one anything to be concerned about?

Thanks