X-Cart forums

[bigredseo]

I have contacted Quest as the IP number was tracing to them, however they are unable to assist via phone. I was forced to enter an email at abuse@questip.net and provide logs. Any other hosts are encouraged to do the same, or if you wish to provide the IP numbers used in your attack (minus user information), please PM me and I will add it to my open ticket with Quest.

I have also contacted the security team at our data center (the planet) and they are actively blocking the IP number in their network currently.

[Emerson]

Quote:

Originally Posted by Emerson

Their IP has now changed too.
The most recent one is 71.38.117.19

Hi Conor,
Yes I had seen the change of IP and had posted it yesterday.
Is the above the same one you have?

[bigredseo]

Yep - Same one. I hadn't noticed it in the posting - sorry dude.

Did you try contacting Quest too? I've had no response from them as of yet

[pauldodman]

Quote:

Other forums that I frequent are not reporting any new incidents of iFrame attacks either, so it sure seems limited to here on the X-Cart users from what I can tell.

That is interesting I believe. From what I can tell, this attack isn't specific to x-cart software - they are not getting in via any vulnerabilities in x-cart, they are just accessing via ftp and changing php files. They could in effect be attacking any website they like. BUT they are NOT.
Does this tell us anything?
This is happening to many different people, different hosts, different data centers, different developers, different versions, different ftp programs, different operating systems, etc, etc.

What is common? - the only thing I can see is the x-cart helpdesk.

It is good that QT have got involved in this discussion; I'm hoping we hear some results back soon from them following their checks.

What would be good to know is if there is anyone who has been attacked who has NOT used their x-cart helpdesk.

[gb2world]

I've confirmed with XCART the ftp user access names I have provided them in the past. None of the ftp accounts I created for QT's use were used to gain ftp access to my server. I am fairly certain I have never given access to any other vendor the account that was used by the hackers to gain access. I've made it a practice to create additional ftp accounts for others who I need to give temporary access.

[bigredseo]

That's one of the concerns I have. I know that the iFrame attack has been around a number of years. I know in '2006 there was a rash of injections and that was mainly due to phpBB and postings on there, and in March 2008 there were some issues on Wordpress, but was later determined that it was when people allowed COMMENTS and the hackers/exploiters were just posting in the comments section. That was resolved by killing HTML codes in the comments area.

I'd be curious to see just how many things are in common between the various sites.

As a note of warning to those who are reading this thread and have not already done so - please change your passwords! http://strongpasswordgenerator.com - this is a decent site for generating passwords if you don't have a password generator on hand.

[gb2world]

Is there a possibility that the hackers could post the code/virus in this forum?

[tradedvdshop]

Does anyone know if these will just affect index pages in the public_html folder or could it go further affecting the skin1 files ect?

[gb2world]

In my case - many index.html & index.php files were exploited - in many directories. It has been reported here that index files can be added to any directory. Also saw the hack in other files. If you have shell access - run the unix commands in post 64.

[tradedvdshop]

ok thanks for that i will run it now and have a look!