Warning: Iframe based attacks using stolen FTP access info

tradedvdshop · #**111** 10-24-2008, 02:05 AM

Anyone know if xcart support use a fixed ip address?

verbic · #**112** 10-24-2008, 03:26 AM

Hello,

Last night and this morning we did a thorough investigation of our infrastructure and especially support HelpDesk. We did various checks including code sanitizing, log file analysis, virus scanning, analyzed traffic patterns etc. And did not find any signs of intrusion or security breach. Also some people from this forum confirmed that during the attack were used logins that they did not submit to our HelpDesk. Some of the affected clients had absolutely empty access list.
Although we found nothing we will do several prophylactic checks during next weeks.

We also had a chance to analyze the attack at one of our clients server. Most likely that this virus spreads in a worm-like fasion:

1.Virus installed on the computer it scans system for cached ftp login/passwords if there are some.
2. It sends discovered login details to the central server which processes them, connects the site using ftp access, scans web directory and infects index.html/php files.
3. People viewing infected sites and virus is installed on their computers. Some of them have cached ftp access details. Then the cycle repeats.
Attack was so successful because anitivirus companies included these viruses in their databases only Oct 20 - 22. So until then they run amok hitting unprotected systems.

Here are reports about similar incidents from the third parties:
http://www.webmasterworld.com/apache/3771650.htm
http://www.phpbb.com/community/viewtopic.php?f=46&t=1096195

Although the virus dropping site seems to be blocked now it will be a good idea to change ftp/ssh access details in case if they were harvested by virus.

bigredseo · #**113** 10-24-2008, 08:24 AM

Hello Verbic,

Thank you for your update on the helpdesk issue - that will at least put our minds at ease regarding the Helpdesk being exploited.

The webmasterworld post I found last night, but due to having done a number of searches on their forum (without a user account) they then blocked my IP and required me to register/login. As a result I was unable to grab the thread. I do know that it was started on 10/23, so right in the same timeframe that we are dealing with. The other one on the phpBB is from an attack in July, so while similar, not current.

We continue making scans on our servers for our users, but with limited results.

Also, update on Quest - no response - STILL.

Emerson · #**114** 10-24-2008, 08:47 AM

Conor,

Yes, I had reported it to them yesterday and the day before. No word from them either.

For those of you that are looking for affected files it is not just index files they are editing.
I have seen /include/templater/plugins/modifier.default.php and also /Smarty-X.X.X/plugins/modifier.default.php tempered with.

If you think you have been hit your best bet is contact your host and have them scan your entire home directory for you. It is much easier and more effective that way.

bigredseo · #**115** 10-24-2008, 08:55 AM

We have also found ONE file with the "main.php" being compromised.

Basically any file with the following words are the likely targets:

INDEX, DEFAULT, MAIN

We've seen the following:
index.htm, index.html, index.php
default.html, default.html, default.php
modifier.default.php
main.php

If you are unable to find the files yourself, please contact your host and provide them the search commands as posted in post 64 here on the forums. They should be able to scan your site for any references to IFRAME and live-counter.

gargonzo · #**116** 10-24-2008, 10:03 AM

folks -- ok, so if we have a server.. what do we do? I've checked via SSH for live-counter and its come back negative..

in the meantime -- what should be done to prevent intrusion..

just change the root passwords?

garz

BCSE · #**117** 10-24-2008, 10:08 AM

Quote:

Originally Posted by gargonzo

folks -- ok, so if we have a server.. what do we do? I've checked via SSH for live-counter and its come back negative..

in the meantime -- what should be done to prevent intrusion..

just change the root passwords?

garz

Change *ALL* passwords that relate to ftp and/or ssh, cpanel, plesk, etc. It would never hurt either to change X-cart admin passwords.

Make sure your X-cart security patches are installed (although this thread doesn't relate to any X-cart vulnerabilities, but we find so many many sites that let this go and do not patch in a timely manner).

Carrie

bigredseo · #**118** 10-24-2008, 10:08 AM

If you've run that scan, then that's about all at the moment. You're not infected. Change the root passwords on the system and any passwords for FTP accounts etc just to be sure.

EN4U · #**119** 10-24-2008, 01:08 PM

Quote:

Originally Posted by Emerson

Navigate to the directory at C:\WINDOWS\system32\drivers\etc
In there you will see a file called "hosts".
Open it with notepad and make sure that no entries have been made there.

A stock, untouched file looks like the one below:

If you see any entry other then 127.0.0.1 localhost your computer has been compromissed.

By editing that file a hacker can make your browser point to an IP that is not actually the IP where that site is hosted.

For example. Lets say that yoursite.com is supposed to point to 11.11.11.11
A hacker can edit the hosts files and add the following entry:
22.22.22.22 yoursite.com

So when you type yoursite.com in your browser, you will actualkly be visiting the site at 22.22.22.22 and not 11.11.11.11
This can be used to to further collect any logins you try at that site, etc...

Scary, huh?

Im seeing this.... is this ok, as the second line worries me..

127.0.0.1 localhost
::1 localhost

Emerson · #**120** 10-24-2008, 01:10 PM

that is ok
::1 localhost is for ipv6. Not to worry.