Warning: Iframe based attacks using stolen FTP access info

Emerson · #**221** 12-01-2008, 08:17 AM

Quote:

Originally Posted by pauldodman

From what I can make out of the txt file, it'll strip out any hidden iframes those with 0 width and/or height or with the "hidden" attribute.
Would that then affect Firetank mods? Anything visible, and therefore possibly genuine, would be ok.

Interesting!
Will check it out further.
Will need to find a customer using one of these mods and ask for access to the admin side so I can test it out.

dtherio · #**222** 12-19-2008, 06:56 AM

Hi folks,

I have just recently re-setup my x-cart store (actually in the process of getting it setup) and noticed this thread today. I wanted to comment that just last night I discovered one of my WordPress based sites had this exploit.

The exploit was in one of the posts, a post that I had made on the site back in early 2007 (the site has not been updated recently). Almost daily I would get emails of spammers posting spam comments on the site, however I do not allow comments to go live until approved.

I do not know how the exploit made it into my post as when building and accessing that site I only used a Mac. According to google (I had the warning show up when trying to access the site via Firefox) it claims my site is a source of an iframe exploit for 90 days.

FTP is not enabled on this site, just SFTP. I edited the post last night to remove the iframe and the traffic code (yep, they were checking how many page views my site got as well). I have also set the blog to require a user be registered before being able to post and require all users to be approved for their registration.

I expect the above steps will stop it on that site.

I mention this only to confirm that it happens on non-x-cart sites as well. Non of the other sites on this server had been compromised.

Dale

shellshack · #**223** 12-22-2008, 10:02 AM

I just got hit with an iframe attack at seashellshack.com

This is the destination [removed by mod]

No one had access to my ftp although I have not yet applied the new security patch.

balinor · #**224** 12-22-2008, 10:04 AM

Please don't post links that appear in hacked sites.

shellshack · #**225** 12-22-2008, 11:22 AM

It wasn't a link.

The "."s were replaced with "dot"s so everyone could use it to look for the problem on their sites. I might be a newb but I am not a complete idiot.

balinor · #**226** 12-22-2008, 11:51 AM

It actually was a link it probably just didn't go anywhere if you modified it - I removed it before I looked at it as other not so bright people HAVE posted the iframe's links in this thread.

shellshack · #**227** 12-23-2008, 06:36 AM

The Ip for my attacker is 67.238.189.236 out of winter park FL.

They injected iframes into all index, home, default and auth files plus admin/main, admin/admin/main, /include/include/login.php and more.

Then he changed the config file to collect credit card #s, added his IP as an allowed administrator and then hid that page from me.

This person is very familiar with xcart.

EN4U · #**228** 12-23-2008, 06:58 AM

You have to wonder if that IP is part of this community and thru our discussions we are giving out info. That would totally suck. Anyway IP records for logins i assume can be gone through to verify if it exists so we aren't giving the hacker a home to watch us all.

Just a thought....

Anyways, I just got my sites all patched to the newest of security releases. I hope all is sealed up now for this and other forms of low life.

TA · #**229** 12-28-2008, 10:37 AM

I just stumbled onto this thread. We were attacked on 10/8/08 by this same hacker. We noticed the insecure warning from IE. That was our first clue. I got on the phone right away with our server host and once I determined that files were changed, I closed down the web-site. Our host uploaded backup files to replace any that were changed, we changed all passwords and I shut down FTP access on our server. I rarely use FTP, so we are leaving it off for now. I usually work through CPanel file manager. Now that I know the extent of this, I am having our host run the SSH command from post #64 to make sure we didn't miss anything.

Has the source ever been figured out? I understand that we do not want to burn anybody at the stake, but I would like to know where the breech happened and if steps have been taken to help prevent this in the future.

WESH(UK) · #**230** 02-21-2009, 11:32 PM

Hey all

Did anybody ever figure this out in the end?
This is still happenening...