Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Warning: Iframe based attacks using stolen FTP access info
 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #1  
Old 10-22-2008, 10:27 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Warning: Iframe based attacks using stolen FTP access info

There seems to be a hacker out there (looks like they are from Egypt) targeting X-Cart sites with iframe based attacks. Basically they are gaining FTP access to a site and adding an iframe to existing index files, or adding new index files in all of the directories. The iframe loads a virus to anyone who accesses the site, both the admin side and the customer side. As you can imagine, this can be extremely damaging to your store if all of your customers get hit with this virus (particularly if they don't have anti-virus software). If you suddenly start to get a 'secure and insecure' warning in the admin, and see something loading other than your domain, close your browser immediately and contact your host.

The accounts that were hacked (the ones I know of) had FTP passwords that are just about impossible to hack, which means the account data was stolen/intercepted. Where it was stolen from is something myself and a few others are investigating as we speak.

In any event, now would be a VERY good time to change your FTP password, particularly if you have had work done on your site by anyone outside your organization. This can usually be done via your host's control panel.

You can also block these specific IP addresses which seem to be the source of some of the attacks (although these are probably just a proxy):

41.232.70.12
41.232.70.190
41.232.69.30
41.232.69.144

This is a serious threat, so please treat it as such - don't just dismiss this as 'it can't happen to me'.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #2  
Old 10-22-2008, 10:36 AM
  photo's Avatar 
photo photo is offline
 

X-Wizard
  
Join Date: Feb 2006
Location: UK
Posts: 1,146
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

In my version (4.1.10) the following security measure is implemented in the config.php file.

Code:
# # The constant FRAME_NOT_ALLOWED forbids calling X-Cart in IFRAME / FRAME tags. # If you do not use X-Cart in any pages where X-Cart is displayed through a # frame, this option can be enabled to enhance security. This option prevents # attacks in which the attacker displays X-Cart through a frame and, using web # browser vulnerabilities, intercepts the information being entered in it. # define("FRAME_NOT_ALLOWED", true);

Should this not stop the attack which you are talking about?
__________________
v4.1.10
In Dev v4.5.x


"If you don't keep an eye on your business, someone else will."
Reply With Quote
  #3  
Old 10-22-2008, 10:37 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Na, that keeps X-Cart from being shown IN an Iframe, I don't think it prevents an iframe from being shown IN X-Cart...
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #4  
Old 10-22-2008, 10:38 AM
 
Emerson Emerson is offline
 

X-Man
  
Join Date: Mar 2004
Location: Atlanta, GA
Posts: 2,209
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

photo, that prevents the shopping cart from being displayed within an iframe.
__________________
Emerson
Total Server Solutions LLC- Quality X-Cart Hosting
Recommended X-Cart Hosting Provider - US and UK servers
Does your host backup your site? We do EVERY HOUR!!!
Shared Hosting | Managed Cloud | Dedicated Servers
Reply With Quote
  #5  
Old 10-22-2008, 10:41 AM
  photo's Avatar 
photo photo is offline
 

X-Wizard
  
Join Date: Feb 2006
Location: UK
Posts: 1,146
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I see. Were these hacks in the latest versions (4.1.10 & 4.1.11) of Xcart?
__________________
v4.1.10
In Dev v4.5.x


"If you don't keep an eye on your business, someone else will."
Reply With Quote
  #6  
Old 10-22-2008, 11:47 AM
  pauldodman's Avatar 
pauldodman pauldodman is online now
 

X-Man
  
Join Date: Jul 2003
Location: Spain / UK
Posts: 2,942
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

I've seen the hacks in 4.0 sites and the latest 4.1 sites, with hackersafe and every security measure possible, including ftp p/ws of strength 100.
__________________
Paul Dodman
e-business & m-commerce consultant
w: www.luminointernet.com
e: xcart@luminointernet.com

Need help with the latest security patch - click here

Google reCaptcha module for X-Cart now available - Click here

Professional X-Cart help, advice, support and services, specialists in Mobile X-Cart.
Reply With Quote
  #7  
Old 10-22-2008, 11:51 AM
  photo's Avatar 
photo photo is offline
 

X-Wizard
  
Join Date: Feb 2006
Location: UK
Posts: 1,146
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Quote:
Originally Posted by pauldodman
I've seen the hacks in 4.0 sites and the latest 4.1 sites, with hackersafe and every security measure possible, including ftp p/ws of strength 100.

That is not good. Hopefully someone can figure out how these clowns are getting the access info.
__________________
v4.1.10
In Dev v4.5.x


"If you don't keep an eye on your business, someone else will."
Reply With Quote
  #8  
Old 10-22-2008, 11:52 AM
 
finerpeter finerpeter is offline
 

Senior Member
  
Join Date: Jul 2006
Location: Montreal, QC
Posts: 159
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Wow, that's a serious comprimise....

Thanks for letting us know Padraic!
__________________
www.finerribbon.com
X-Cart Vers: 4.5.0
Modified Creatively
Reply With Quote
  #9  
Old 10-22-2008, 11:53 AM
 
Emerson Emerson is offline
 

X-Man
  
Join Date: Mar 2004
Location: Atlanta, GA
Posts: 2,209
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

Paul,

What I've seen are iframes loading a live-counter URL. Is that what you have seen as well?

photo,
This is not an x-cart vulnerability but FTP passwords are being leaked somewhere.
__________________
Emerson
Total Server Solutions LLC- Quality X-Cart Hosting
Recommended X-Cart Hosting Provider - US and UK servers
Does your host backup your site? We do EVERY HOUR!!!
Shared Hosting | Managed Cloud | Dedicated Servers
Reply With Quote
  #10  
Old 10-22-2008, 12:01 PM
 
finerpeter finerpeter is offline
 

Senior Member
  
Join Date: Jul 2006
Location: Montreal, QC
Posts: 159
 

Default Re: Warning: Iframe based attacks using stolen FTP access info

How do you mean Emerson?
__________________
www.finerribbon.com
X-Cart Vers: 4.5.0
Modified Creatively
Reply With Quote
Reply
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 12:38 PM.

   

 
X-Cart forums © 2001-2018