| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
Warning: Iframe based attacks using stolen FTP access info | ||||
|
|
Thread Tools |
#171
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Balinor - I have NAV. I'm going to close everything and run a scan right now.
__________________
X-Cart version 4.0.17 X-Cart version 4.0.18 Web servers = Apache OS = Linux |
|||||||
#172
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Check your Norton logs as well - when I hit a site that had it, Norton logged the attack and blocked it.
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
#173
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
My virus definitions are up-to-date, and a full Norton scan of C: came up clean.
I use NoScript (http://noscript.net/) in FireFox, so I believe that prevented any code from being sent through FF. If anybody is familiar with NoScript and can confirm that it would prevent this attack, I'd appreciate it. For now, I'm going to assume I'm in the clear. Well, it's a lesson. I'm so used to just clicking the link in the forum email without reading it - never again!
__________________
X-Cart version 4.0.17 X-Cart version 4.0.18 Web servers = Apache OS = Linux |
|||||||
#174
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
If this FTP info was leaked/compromised, there are ONLY 2 possible sources
1. Qualiteam 2. Another company, which shall remain nameless for now, but have posted in this thread, that did some modifications. And thats all there is to it. And no, our computers were not compromised. We have quite a few servers around, both in the US and in Europe, most all of them in adult, high traffic, with tons of scripts, however the ONLY servers affected are the ones with x-cart installed, and that have been worked on by 1/2 ( see above )
__________________
PuroPlacer X-Cart version X-Cart Pro 4.1.5 |
|||||||
#175
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Mates,
Any hack reports today? Has anybody had any problems today? I'm wondering if they've given up or our security attempts have been successful. Good luck everybody. |
|||||||
#176
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Well hopefully the e-mail that went out earlier with the infected site linked in it wasn't clicked on by that many people or this whole process may start over again
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
#177
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
What I don't get is what do they have to benefit from all this... Just bragging rights?
|
|||||||
#178
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
Whoever mentioned that a keylogger could be responsible, keep in mind that keyloggers record keystrokes, they don't scan programs for logins/password (at least if you are truly referring to something as a keylogger which logs keystrokes).
Most people will have their FTP information stored in a FTP program, so the likelihood that someone is manually logging into their FTP server after being infected is a bit unrealistic. Like others have already mentioned, this sounds like someone's support area was compromised and this is you should never give out production login/passwords to anyone else. If Qualiteam requests login info, you should be creating an additional login for them which should get disabled/deleted after they look at their issue.
__________________
X-Cart Gold v. 4.1.10 |
|||||||
#179
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
What a mess! I got done cleaning out 3 of my sites today. Though I didn't count how many files, I did notice a pattern though. It seems like this was some kind of bot going around and making the changes to the FTP servers because in all 3 of my sites, I can remember the following areas being affected:
1. index.html files were embedded with images from the hack group and the code had the iframe attack in it. Then this html file would be put into several directories. 2. the index of "www" was infected with a similar html file then another php file. 3. marketing manager, most 3rd party apps would be infected. For almost 2 weeks I wondered why MM and feed manager stopped working! 4. The smarty template system was also infected. This is/was a huge mess and unfortunatly, I did not have the kind of support that a lot of you had so the leg work was all manual editing. I just logged into my ftp and went 1 directory/sub directory at a time and looked for files recently changed. between the 3 sites I manually changed, the oldest exploit was on oct 8th and the most recent one was yesterday. I got 1 more site to go but now I'm exhausted. Oh and I forgot to mention, I LOST TONS OF BUSINESS because of this. On one of my sites, people would sign up and then would not finish through the checkout - I always wondered about that. I am using AVG free edition but after I did a complete scan, it found two trojan viruses in my PC and just today, I've done like 5 scans with AVG and Adaware. I'm kinda paranoid now. So, what now? What happens if my dbases are compromised, that is beyond my knowledge. Anyone care to jump in with suggestions? How are the rest of you doing with your exploited sites? |
|||||||
#180
|
|||||||
|
|||||||
Re: Warning: Iframe based attacks using stolen FTP access info
They are back again at my site too. Thought we had got rid of everything. My hosting provider took care of the files for me.
I am waiting on a response from them for todays exploits, but time is ticking away and I'm losing clients. In the meantime, I am too worried to go into my ftp program or mozilla/explorer, for fear of them doing more damage. I have just lost another client too. I got an email error message back from my store admin that her paypal payment couldnt be processed. Dont know if it has anything to do with the hacks. [billmes] => Declined Status: None Reason: none ( TransactionType: none) Error: Express Checkout token is missing. (Code: 10408, Severity: )Could anyone offer some advice as to the best way to securely approach my cpanel to see what files may have been changed? My computer is clean of all virus, malware etc. Many thanks
__________________
Sunset X-Cart Gold v4.1.8 |
|||||||
|
|||
X-Cart forums © 2001-2020
|