Warning: Iframe based attacks using stolen FTP access info

Emerson · #41 10-22-2008, 06:02 PM

Quote:

Originally Posted by finerpeter

The wonderful people at my hosting company Finestshops.com were able to locate all the infected files and they also confirmed as Emerson said that it was through FTP access.

Carrie, you may want your client to run Ad-Aware too, that's what we're doing right now on all of our computers...

But did they do this right after you posted the login into to the qualiteam's helpdesk?
This could be determined by looking at the ftp logs or the time stamp on the files.

finerpeter · #42 10-22-2008, 06:08 PM

I'm checking into it right now Emerson, it might be that a keylogger was resident on my computer from before.

God help us if the X-cart support helpdesk is comprimised huh?

For added security we've stopped all the PC's in the office and are only running the Macs.

balinor · #43 10-22-2008, 06:13 PM

I dropped a line to Qualiteam to have them look into this as well...

finerpeter · #44 10-22-2008, 06:16 PM

No worries from Qualiteam's support help desk.

It seems that these files were modified on our files on October 8 2008.

What a disaster this is, depending on the computer that was compromised, they could have done away with some serious information if it was a case of keylogging.

Emerson · #45 10-22-2008, 06:19 PM

Hmmm interesting.
Oct 8th seems to be the magic date here as well
Oct 1st, 8th and 20th

now if this is a keylogger issue where is this common place where this keylogger has infected all these computers from users that frequent here.

BCSE · #46 10-22-2008, 06:57 PM

Yes! It started on Oct 8 for my client as well with subsequent logins on the 9th and 10th.

Carrie

finerpeter · #47 10-22-2008, 07:05 PM

Have them check up the browser records and let them review what sites were browsed on that date. That's what we're planning to do here on the PC's once the adware and anti spam software are finished from checking the units.

My guess is that if it's a keylogger, then it's from one of those funny video sites that people send around. Our office is an open space so I'm almost 99% sure that it's nothing to do with porn sites but the lads here send back and forth a lot of those "funny accidents" video links so if it's a keylogger, then I'm guessing it's got to be infected through one of those sites.

finerpeter · #48 10-22-2008, 07:31 PM

Mates,

We found a site that was visited by one of our computers www.tvshack.net which Google is advising that has malicious code in it. We're checking to see if the computer that was used to visit it is infected.

Will let you know if it's confirmed.

Jon · #49 10-22-2008, 08:08 PM

Kaspersky is picking up the virus as Packed.JS.Agent.r and it looks like it was only added to their virus listing today (October 22): http://www.kaspersky.co.uk/viruswatchlite?hour_offset=-11&search_virus=js

Emerson · #50 10-22-2008, 09:22 PM

Their IP has now changed too.
The most recent one is 71.38.117.19