Warning: Iframe based attacks using stolen FTP access info

gravel · #**171** 10-28-2008, 12:45 PM

Balinor - I have NAV. I'm going to close everything and run a scan right now.

balinor · #**172** 10-28-2008, 12:46 PM

Check your Norton logs as well - when I hit a site that had it, Norton logged the attack and blocked it.

gravel · #**173** 10-28-2008, 02:32 PM

My virus definitions are up-to-date, and a full Norton scan of C: came up clean.

I use NoScript (http://noscript.net/) in FireFox, so I believe that prevented any code from being sent through FF. If anybody is familiar with NoScript and can confirm that it would prevent this attack, I'd appreciate it.

For now, I'm going to assume I'm in the clear.

Well, it's a lesson. I'm so used to just clicking the link in the forum email without reading it - never again!

PuroPlacer · #**174** 10-28-2008, 02:57 PM

If this FTP info was leaked/compromised, there are ONLY 2 possible sources
1. Qualiteam
2. Another company, which shall remain nameless for now, but have posted in this thread, that did some modifications.

And thats all there is to it. And no, our computers were not compromised.
We have quite a few servers around, both in the US and in Europe, most all of them in adult, high traffic, with tons of scripts, however the ONLY servers affected are the ones with x-cart installed, and that have been worked on by 1/2 ( see above )

finerpeter · #**175** 10-28-2008, 03:32 PM

Mates,

Any hack reports today? Has anybody had any problems today?

I'm wondering if they've given up or our security attempts have been successful.

Good luck everybody.

balinor · #**176** 10-28-2008, 03:54 PM

Well hopefully the e-mail that went out earlier with the infected site linked in it wasn't clicked on by that many people or this whole process may start over again

finerpeter · #**177** 10-28-2008, 04:00 PM

What I don't get is what do they have to benefit from all this... Just bragging rights?

somekindahate · #**178** 10-29-2008, 04:09 PM

Whoever mentioned that a keylogger could be responsible, keep in mind that keyloggers record keystrokes, they don't scan programs for logins/password (at least if you are truly referring to something as a keylogger which logs keystrokes).

Most people will have their FTP information stored in a FTP program, so the likelihood that someone is manually logging into their FTP server after being infected is a bit unrealistic.

Like others have already mentioned, this sounds like someone's support area was compromised and this is you should never give out production login/passwords to anyone else. If Qualiteam requests login info, you should be creating an additional login for them which should get disabled/deleted after they look at their issue.

TWS Accessories · #**179** 10-29-2008, 04:18 PM

What a mess! I got done cleaning out 3 of my sites today. Though I didn't count how many files, I did notice a pattern though. It seems like this was some kind of bot going around and making the changes to the FTP servers because in all 3 of my sites, I can remember the following areas being affected:

1. index.html files were embedded with images from the hack group and the code had the iframe attack in it. Then this html file would be put into several directories.

2. the index of "www" was infected with a similar html file then another php file.

3. marketing manager, most 3rd party apps would be infected. For almost 2 weeks I wondered why MM and feed manager stopped working!

4. The smarty template system was also infected.

This is/was a huge mess and unfortunatly, I did not have the kind of support that a lot of you had so the leg work was all manual editing. I just logged into my ftp and went 1 directory/sub directory at a time and looked for files recently changed. between the 3 sites I manually changed, the oldest exploit was on oct 8th and the most recent one was yesterday. I got 1 more site to go but now I'm exhausted. Oh and I forgot to mention, I LOST TONS OF BUSINESS because of this. On one of my sites, people would sign up and then would not finish through the checkout - I always wondered about that. I am using AVG free edition but after I did a complete scan, it found two trojan viruses in my PC and just today, I've done like 5 scans with AVG and Adaware. I'm kinda paranoid now.

So, what now? What happens if my dbases are compromised, that is beyond my knowledge. Anyone care to jump in with suggestions?

How are the rest of you doing with your exploited sites?

sunset · #**180** 10-29-2008, 04:44 PM

They are back again at my site too. Thought we had got rid of everything. My hosting provider took care of the files for me.
I am waiting on a response from them for todays exploits, but time is ticking away and I'm losing clients.

In the meantime, I am too worried to go into my ftp program or mozilla/explorer, for fear of them doing more damage. I have just lost another client too.

I got an email error message back from my store admin that her paypal payment couldnt be processed. Dont know if it has anything to do with the hacks.

[billmes] => Declined Status: None Reason: none ( TransactionType: none) Error: Express Checkout token is missing. (Code: 10408, Severity: )

Could anyone offer some advice as to the best way to securely approach my cpanel to see what files may have been changed?

My computer is clean of all virus, malware etc.

Many thanks