2

I have a website made in Magento and hosted on an Ubuntu server and since a few months have been registering FTP connections open from unknown IP trying to open the file lic.php. In the proftpd.log file I found this records:

FTP session opened.
error opening destination file '/data/myproject.com/www/temp/lic.php' for copying: No such file or directory
error opening destination file '/data/httpd/myproject.com/data/temp/lic.php' for copying: No such file or directory
error opening destination file '/data/web/myproject.com/temp/lic.php' for copying: No such file or directory
error opening destination file '/data/web/myproject.com/web/temp/lic.php' for copying: No such file or directory
error opening destination file '/data/www/html/temp/lic.php' for copying: No such file or directory
error opening destination file '/etc/apache2/htdocs/temp/lic.php' for copying: No such file or directory
error opening destination file '/home/myproject.com/temp/lic.php' for copying: No such file or directory
error opening destination file '/home/myproject.com/public_html/temp/lic.php' for copying: No such file or directory
...
...etc
FTP session closed.

At other times, it was also trying to open the apc.php file

Is this normal or should I take action on it?

Hector Andres Rojas
  • 123
  • 3
  • Looks like an automated scanning attempt. lic.php has been connected to ransomware in the past but it's a pretty generic name, and there have been exploits for Alternative PHP Cache (apc.php). If you're worried I would disable anonymous FTP. – movsx Jan 16 '17 at 19:50

1 Answers1

3

Is this normal

Yes, FTP/SSH recon and brute force is pretty common. Welcome to the wild wild web.

or should I take action on it?

You should definitely take action on it. Is there a reason why you have anonymous FTP exposed? This is highly insecure. The files in your case don't exist, but what if an attacker asks legitimate files like your application code or system files like /etc/passwd?

These are the steps you should take to avoid this:

  • Disable FTP and use SFTP. SFTP uses ssh tunnel and it provides both confidentiality and integrity of data during transit.
  • Disable anonymous logins. Turn on key based authentication and use strong keys (2048 bits or more). If keys don't work for you, use strong password.
  • Check the FTP logs to see if any legitimate files have been stolen.

In case you are curious where did they get your IP and why are you seeing this kind of traffic, please refer to my related answer on webmasters: https://webmasters.stackexchange.com/a/72312/18258

Community
  • 1
CodeExpress
  • 2,422
  • 13
  • 10
  • This works, in addition to this on the website there was a vulnerability with uploading files with a module called Webforms that I have already corrected. – Hector Andres Rojas Jan 20 '17 at 16:15