Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Warning: Iframe based attacks using stolen FTP access info

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #131  
Old 10-25-2008, 04:19 PM
 
PuroPlacer PuroPlacer is offline
 

Advanced Member
  
Join Date: Jan 2007
Location: Marbella, Spain
Posts: 61
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by Emerson
All access I've seen with this issue it was done via FTP login and it is clear in the logs.

I personally believe this is an aftermath of someone's helpdesk getting hacked into and these logins were obtained that way.

If it was a vulnerability and/or as using insecure FTP(as some have suggested here ) this would have been a much more wide spread issue and would have affected many more sites and not just a handful as we have seen. Also it would have not been limited to just x-cart users which seems to be the case so far.


Well, IF someone's helpdesk has been hacked, it is qualiteam, as one of these server's info was ONLY given to them, I can say that with 100% certainty.

This issue is related to the x-cart software, no doubt about that.

I am kind of missing info from them here, this is an extremely serious issue, and I would expect them to come in and try to identify the source of the problem. Now.
__________________
PuroPlacer
X-Cart version
X-Cart Pro 4.1.5
Reply With Quote
  #132  
Old 10-25-2008, 04:23 PM
 
PuroPlacer PuroPlacer is offline
 

Advanced Member
  
Join Date: Jan 2007
Location: Marbella, Spain
Posts: 61
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Last one was live-counter.net and also this one:
http://hosttracker.net/?click=123456

Also, from googling it, it looks like an iframe attack?
google "iframe attacks"
edit: exploiting the code/php I mean?
again, I am not an expert on this

Also, with FTP access, it seems very strange they have not caused total mayhem,
__________________
PuroPlacer
X-Cart version
X-Cart Pro 4.1.5
Reply With Quote
  #133  
Old 10-25-2008, 05:18 PM
  BCSE's Avatar 
BCSE BCSE is online now
 

X-Guru
  
Join Date: Apr 2003
Location: Ohio - bcsengineering.com
Posts: 3,060
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

One thing to consider on how this happened is that someone's computer who has access to these various X-cart sites was infected with a keylogger virus which inturn provided ftp info to many sites. So it wouldn't necessarily have to be a helpdesk intrusion. Could simply be a PC intrusion on a key person or group of people.

We've had one client that we know of that has had this problem, and from our experience with them, there was no evidence in an X-cart vulnerability allowing them in. There was no suspicious activity noted in the http logs. Only activity in the ftp logs. They were also up-to-date on the security patches except for the ones this summer which they had scheduled to do right at the same time this was found. That client also got infected by their *own* site by the keylogger (or possibly they were infected before the attack which provided the ftp information, I don't think we know when they got infected).

Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002!

We support X-cart versions 3.x through 5.x!

Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more!


Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com

Please E-Mail us for questions/support!
Reply With Quote
  #134  
Old 10-26-2008, 05:08 AM
 
sunset sunset is offline
 

Advanced Member
  
Join Date: Jul 2007
Posts: 94
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Hi Guys.

My store was exploited too. Livecounter and that hostracker was displaying in my mozilla status bar as my site was loading.

My host has been kind enough to check through some of my files and remove the iframe exploit & has changed my cpanel password.

I have scanned my computer here...and it appears that two cookies just wont go away.... "DoubleClick" and "Right Media". I am not game enough to go into my admin or cpanel for fear of them tracking me on my computer.

I'm not too tech savvy...and i'm sitting here like a stunned mullet not knowing where or what to do next...actually I could cry...

The worst bit was that when i was seeing this load in the browser status bar, I got an email from a client, whose virus scanner detected something on my site. He was quick to mention the following:
"I am an experienced IT professional and wanted to let you know (just incase you don▓t) that your website contains malicious software which is trying to breach our computer via port 50244 each time we click on a link.
This doesn▓t really do much in the trust stakes for customers wanting to purchase online from your website. We do not feel safe providing our credit card details to purchase online.

Could I suggest forwarding this email to your website designers for action."
So a very embarrassing experience from my perspective.


I would be so greatful of any help.


Thanks guys.
__________________
Sunset
X-Cart Gold v4.1.8
Reply With Quote
  #135  
Old 10-26-2008, 05:31 AM
  photo's Avatar 
photo photo is offline
 

X-Wizard
  
Join Date: Feb 2006
Location: UK
Posts: 1,146
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by sunset
Hi Guys.

My store was exploited too. Livecounter and that hostracker was displaying in my mozilla status bar as my site was loading.

My host has been kind enough to check through some of my files and remove the iframe exploit & has changed my cpanel password.

I have scanned my computer here...and it appears that two cookies just wont go away.... "DoubleClick" and "Right Media". I am not game enough to go into my admin or cpanel for fear of them tracking me on my computer.

I'm not too tech savvy...and i'm sitting here like a stunned mullet not knowing where or what to do next...actually I could cry...

The worst bit was that when i was seeing this load in the browser status bar, I got an email from a client, whose virus scanner detected something on my site. He was quick to mention the following:
"I am an experienced IT professional and wanted to let you know (just incase you don▓t) that your website contains malicious software which is trying to breach our computer via port 50244 each time we click on a link.
This doesn▓t really do much in the trust stakes for customers wanting to purchase online from your website. We do not feel safe providing our credit card details to purchase online.

Could I suggest forwarding this email to your website designers for action."
So a very embarrassing experience from my perspective.


I would be so greatful of any help.


Thanks guys.

You may want to give Spyware Detector a try. We use it on all the computers connected to our network along with other firewall/virus software.
__________________
v4.1.10
In Dev v4.5.x


"If you don't keep an eye on your business, someone else will."
Reply With Quote
  #136  
Old 10-26-2008, 05:37 AM
 
sunset sunset is offline
 

Advanced Member
  
Join Date: Jul 2007
Posts: 94
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Hiya Photo - thanks very much for that. I shall do it right now. cheers.
__________________
Sunset
X-Cart Gold v4.1.8
Reply With Quote
  #137  
Old 10-26-2008, 06:42 AM
 
Steve-C Steve-C is offline
 

Senior Member
  
Join Date: Jan 2006
Location: England
Posts: 172
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Just to add my 3 pennorth..

I couldn't log into c-panel last Friday or upload via FTP.

It turned out my password had been changed (not by me and no one else here has access).

The wierd thing is that the password was changed to the same password I use to log into Admin.

How / why would that happen?
__________________
X-Cart Gold v 4.3.2
X-AOM, Marketing Manager, On Sale
Reply With Quote
  #138  
Old 10-26-2008, 07:44 AM
 
tradedvdshop tradedvdshop is offline
 

Advanced Member
  
Join Date: Jun 2007
Location: Kent UK
Posts: 30
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Ok i have an update too have installed Logwatch on my server seems they have not given up i have had the following attempts again

authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:41.232.71.219 user=discworld: 8 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:41.232.243.187 user=discworld: 4 Time(s)

And this is everyday so far from the same ips
__________________
X-Cart version 4.1.3
Blank DVD Blank Cd Blank Media Dvd Case
http://www.discworlduk.co.uk


Reply With Quote
  #139  
Old 10-26-2008, 07:46 AM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Hi,

My 2 cents.

Quote:
Support: i can not rely on any personal opinion as it would be the huge debate, but following method is most dangerous to use exec, passthru, unescape, base64, eval
Support: i can see many methods used on your sites
Support: also php has developed safe_mode - to prevent such issue, but it has been disabled due to the need of the application

Actually it is safe to use exec/passthru/base64/eval functions. It isn't necessary to enable PHP`s safe_mode option. But it isn't necessary to enable it and is safe to use these functions, only if your host is good and secure.

So good host doesn't disable 'base64' function. Good host just makes a secure environment in order to prevent hackers` attacks.

If host thinks "Hackers use base64 function in their PHP remote shells, lets disable this function!", it looks like "People can kill using knives, let forbid knives!"
: -)


Quote from http://www.mediawiki.org/wiki/Safe_mode :

Quote:
PHP's safe_mode is an ill-conceived, broken-by-design setting in PHP that is supposed to make broken scripts safe. It was deprecated in PHP5 and removed in PHP6

-----

Quote:
This issue is related to the x-cart software, no doubt about that.

Some facts.

1. Some X-Cart stores didn't post access info to the HelpDesk ever and they were hacked.

2. Not only X-Cart sites were hacked. See some links to the phpBB and webmasterworld forums.
Also:

* http://webhostplanet.org/please-help-about-this-iframe-wierd-iframe-live-counternet-hosttrackernet/
* http://www.vbulletinsetup.org/wordpress-isssue/

Why many X-Cart sites(>10 sites) were hacked? I have two ideas:

* because we have many clients, statistically some of them caught the virus that steals FTP passwords

* somehow 3d party developer cought the virus and all his clients were hacked.

-----

Dear recommended hosting providers, Emerson, Conor and others. I suggest to implement the following modification on your and our servers.

1. Special shell script will parse all FTP logs every day.
2. If script finds the many uploads of 'index.php, index.html, main.php, default.php' files from one IP, this script will send an email to the server administrator and add this IP to the firewall.
3. We will have special thread on this forum where we will be able to post such suspicios IPs for others to ban these IPs as well.

What do you think?
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.
Reply With Quote
  #140  
Old 10-26-2008, 07:51 AM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Also this X-Cart tool will help you to find out if your PHP scripts or templates are modified by hackers: http://www.x-cart.com/xcart_manual/online/?system_fingerprints.htm

If you see that some templates are modified and you didn't touch them -- it is time to check these files.
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.
Reply With Quote
Reply
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 09:32 AM.

   

 
X-Cart forums © 2001-2020