Warning: Iframe based attacks using stolen FTP access info

Emerson · #81 10-23-2008, 11:58 AM

Quote:

Originally Posted by photo

Just checked mine and it has the following two entries,

127.0.0.1 localhost
::1 localhost

is the 2nd one anything to be concerned about?

Thanks

that is ok
::1 localhost is for ipv6. Not to worry.

photo · #82 10-23-2008, 12:01 PM

Quote:

Originally Posted by Emerson

that is ok
::1 localhost is for ipv6. Not to worry.

Thats good to know! Thanks Emerson.

pixellogo · #83 10-23-2008, 12:05 PM

Emerson,

Drinks are on me if ever you visit Montreal. Thanks for all the detailed help in this thread mate.

manolodf · #84 10-23-2008, 12:14 PM

Emerson beat me to it, but yes if you see anything other than
127.0.0.1 localhost
in there, that you did not manually put in for whatever reason then your DNS is compromised meaning everything is routed through "hacker's network" so they can do alot of evil things, DNS hacking i believe is what its called but just take a quick look on any machines you use to access your site, specially any using FTP or Admin just to be sure.

Be concerned if you see something like this where 111.111.111.111 is a random IP you dont recognize:

111.111.111.111 yourdomain.com
or
111.111.111.111 *

manolodf · #85 10-23-2008, 12:17 PM

Quote:

Originally Posted by Manic

Thank you!
But I guess I won't be doing any online banking until this whole thing blows over.

DNS hacking does play a role in stealing information but normally more for paypal etc, normally in online banking they cant do too much as your bank protects you, but do make sure you are protected, a pretty good spyware checker is Spybod S&D if you guys want to just run it, its free.

balinor · #86 10-23-2008, 12:18 PM

Spybot WILL put entries in your hosts file, so don't freak if you have that program installed and see extra entries

tradedvdshop · #87 10-23-2008, 12:23 PM

I think i have got all the files cleared but still my web page is white??

Would this be the cache on my server or something any ideas?

bigredseo · #88 10-23-2008, 12:24 PM

my guess - yes, cache. Clear your templates_c and let them rebuild. Either that or you have an error in PHP somewhere and it's not building the page.

Acquamarina · #89 10-23-2008, 01:16 PM

My site was compromised, and 2 things that were different on October 20th - I use PcCillin and run scans 2 times a week, with automated updates at any given time. On october 20th, I got the following:

PAK_Generic.001 on October 20. 2008
Unable to Quarantine
Aliases: Generic, Mal/Packer, W32/Sality.M, Win32/Puper.8ke!Trojan, Win32/Sality!generic

I followed the file location immediately but could not find the file. Did a full scan (about 6 hours) and the file was then found and properly quarantined. I deleted it immediately and emptied the TrashBin (for whatever that's worth) then today, could not log in to ftp.

I also noticed that the new version of PCCillin Trend Micro Internet Security shuts down when it's updating automatically, which is utterly stupid as it leaves your pc unprotected. Don't know how to change that though, it's a serious flaw, but I am calling them now.

On 10/10 I started to get blank page syndrome in admin, don't know if it's related.

The other thing that is new for me is Twitter. Is anyone else using Twitter? Since it works as IM does it could be used to deliver viruses, couldn't it?

I also contacted x-cart helpdesk as they had the log in for my ftp.

A million thanks to Emerson for helping me with this. Emerson, you rock! EWDhosting is the best!

manolodf · #90 10-23-2008, 01:31 PM

Quote:

Originally Posted by Acquamarina

My site was compromised, and 2 things that were different on October 20th - I use PcCillin and run scans 2 times a week, with automated updates at any given time. On october 20th, I got the following:

PAK_Generic.001 on October 20. 2008
Unable to Quarantine
Aliases: Generic, Mal/Packer, W32/Sality.M, Win32/Puper.8ke!Trojan, Win32/Sality!generic

I followed the file location immediately but could not find the file. Did a full scan (about 6 hours) and the file was then found and properly quarantined. I deleted it immediately and emptied the TrashBin (for whatever that's worth) then today, could not log in to ftp.

I also noticed that the new version of PCCillin Trend Micro Internet Security shuts down when it's updating automatically, which is utterly stupid as it leaves your pc unprotected. Don't know how to change that though, it's a serious flaw, but I am calling them now.

On 10/10 I started to get blank page syndrome in admin, don't know if it's related.

The other thing that is new for me is Twitter. Is anyone else using Twitter? Since it works as IM does it could be used to deliver viruses, couldn't it?

I also contacted x-cart helpdesk as they had the log in for my ftp.

A million thanks to Emerson for helping me with this. Emerson, you rock! EWDhosting is the best!

What I would do is grab a portable scanner like a portable Nod32 to run a quick scan, some viruses do make the effort to butcher the antivirus from updating, scanning, installing etc, that is why maybe running one from a USB drive might be a good bet to at least get a preliminary cleaning going. What FTP program do you use, and maybe was one of the quarantined files the FTP program or one of the access files that holds your FTP information? Perhaps a virus is targetting certain FTP programs and their information file, decrypting and sending them on your next attempt, just a guess