Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Warning: Iframe based attacks using stolen FTP access info

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #11  
Old 10-22-2008, 12:01 PM
  photo's Avatar 
photo photo is offline
 

X-Wizard
  
Join Date: Feb 2006
Location: UK
Posts: 1,146
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by Emerson
photo,
This is not an x-cart vulnerability but FTP passwords are being leaked somewhere.

Is this issue possibly related to certain server control panels like Cpanel?
__________________
v4.1.10
In Dev v4.5.x


"If you don't keep an eye on your business, someone else will."
Reply With Quote
  #12  
Old 10-22-2008, 12:23 PM
 
Emerson Emerson is offline
 

X-Man
  
Join Date: Mar 2004
Location: Atlanta, GA
Posts: 2,209
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by photo
Is this issue possibly related to certain server control panels like Cpanel?

photo,
It is a possibility but I am leaning more towards a source of logins have been breached.
We had 4 cases here and at first I thought maybe our system was compromised but after further investigation it was concluded that those logins were not available in our system.
So either a helpdesk somewhere has been hacked or e-mails are being interecepted somewhere.
Still investigating as we do not have much information to pinpoint the source of the problem and that is one of the reasons of this thread, so we can get as much information as possible.

We are instructing our customers to not give out their FTP logins to anyone, instead they should create a separate login and once the work is done they can delete that login.
__________________
Emerson
Total Server Solutions LLC- Quality X-Cart Hosting
Recommended X-Cart Hosting Provider - US and UK servers
Does your host backup your site? We do EVERY HOUR!!!
Shared Hosting | Managed Cloud | Dedicated Servers
Reply With Quote
  #13  
Old 10-22-2008, 12:27 PM
 
finerpeter finerpeter is offline
 

Senior Member
  
Join Date: Jul 2006
Location: Montreal, QC
Posts: 159
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I would presume that the largest concentration of logins and passwords would be with X-Cart tech support. I hope that is not compromised. That would truly be a catastrophe.

Edit: Come to think of it, I'm guessing X-Cart recommended hosts would have quite a few number of ftp passwords too in their systems. We know that Emerson's safe so it would be great if the other companies can confirm their status too.
__________________
www.finerribbon.com
X-Cart Vers: 4.5.0
Modified Creatively
Reply With Quote
  #14  
Old 10-22-2008, 01:21 PM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Yea, this is clearly not an X-Cart vulnerability - but pure information theft. Emerson's servers are locked up tight, so it has to be a leak somewhere.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #15  
Old 10-22-2008, 02:04 PM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I got hit too. I am at Hands-On - so it seems not likely a vulnerability with the hosts.

I never give out the root ftp passwords, but have created ftp accounts for QT and various vendors - perhaps the compromise was there. My host is suggesting they may have intercepted email somehow. I did email ftp information to some vendors.

I saw the iframe edit in the main index file - am putting in a ticket to find all index files that were modified recently. (I don't have shell access - so I am having to look at directories one by one. So far - I have not found anything else.

Can anyone describe any other files or functionality that were modified? I'll be looking at all files that were changed today.
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
Reply With Quote
  #16  
Old 10-22-2008, 02:07 PM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

It is basically every index.php file - if they aren't in a directory, they were created - so look for any index.php file created or edited on the day of the hack.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #17  
Old 10-22-2008, 02:08 PM
 
Emerson Emerson is offline
 

X-Man
  
Join Date: Mar 2004
Location: Atlanta, GA
Posts: 2,209
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Hi gb2world.

Seems that iframes were injected in all index files.
Talk to Hands On and have them take a look at your FTP logs and see if this is related.

Actually you can look at the FTP logs yourself. They are found in the access-logs directory in your home directory.
__________________
Emerson
Total Server Solutions LLC- Quality X-Cart Hosting
Recommended X-Cart Hosting Provider - US and UK servers
Does your host backup your site? We do EVERY HOUR!!!
Shared Hosting | Managed Cloud | Dedicated Servers
Reply With Quote
  #18  
Old 10-22-2008, 02:37 PM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

This is really bad. If they had full ftp access - They could also have picked up all the MYSQL password information. All that needs to be changed too. With access to the db - they can cause all sorts of mischief - and can have all customer information.
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
Reply With Quote
  #19  
Old 10-22-2008, 02:38 PM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

We haven't had any reports of issues other than this one which we just received a ticket on.

I'm checking that server for issues currently, but the iFrame attacks really hadn't been present in over 2 years I think was the last time I've seen a rash of them.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #20  
Old 10-22-2008, 03:12 PM
  Jon's Avatar 
Jon Jon is offline
 

X-Guru
  
Join Date: Oct 2002
Location: Vancouver, Canada
Posts: 4,200
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by gb2world
This is really bad. If they had full ftp access - They could also have picked up all the MYSQL password information. All that needs to be changed too. With access to the db - they can cause all sorts of mischief - and can have all customer information.

For example, watch for users modifying the database, changing your CC processing to manual and then changing the admin orders email address to theirs.
Reply With Quote
Reply
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 02:57 AM.

   

 
X-Cart forums © 2001-2020