2

I've always wondered what could realistically (and maybe theoretically) happen if one of those "always trying to log in with common passwords" remote addresses guessed my password and gained admin access to my FTP server at home.

From what I understand, an FTP server only has access to whatever directories and files that are already shared, but it can't execute arbitrary code and you can't add more directories or files to gain access to the rest of the system (at least I couldn't find how it could be done). So the "bad guys" could only slightly expand their remote storage space or hope that I execute a virus that they put on my hard drives and only then could things get really bad.

What could a malicious person do if they gained full access to my remote FTP server?

user1306322
  • 916
  • 7
  • 15
  • Are you hosting a web application on the server from a directory that FTP has access to? If you do, the attacker would have full control over that applicaiton. – Anders Apr 23 '18 at 18:55
  • I don't think this applies here but I think one thing to consider is that when you use SFTP, each user is an SSH user and could potentially escape into the shell so it's important to make sure permissions are reviewed. – JimmyJames Apr 23 '18 at 20:46

3 Answers3

5

There are a lot of attacks that can happen if someone gets access to your FTP server.

1) Wipe out your data stored on the FTP server.

2) Steal your data stored on the FTP server.

3) Exploit any of a variety of vulnerabilities to compromise your server.

4) Upload malicious content in hopes that you'll execute it.

5) Replace existing content with similar but malicious content (index.html becomes a webpage selling kiddie porn or something) that you or your other software will execute.

Typically, all software has bugs. Some of those bugs are publicly known of. An attacker can use known and unknown bugs to compromise your system, and it is far easier when they have login access, especially administrative access to a system.

Monica Apologists Get Out
  • 4,021
  • 1
  • 14
  • 21
  • ok so what if there are no services automatically executing any files set up on that computer, and I'm not manually launching any random `.exe`s, or even browsing the directories via explorer (to avoid the possibility of the many automatic thumbnail creation exploits). Let's say it's just an empty FTP server and I don't care about what data is on there, as it is never really accessed by anyone. Would the attackers still be able to somehow gain full control over my computer? – user1306322 Apr 23 '18 at 19:18
  • If there are vulnerabilities, yes. If not, no. It's very fact-specific regarding what FTP server you're running, what version, what OS, etc. – Monica Apologists Get Out Apr 23 '18 at 19:20
  • @user1306322 There's a (small, but non-zero) possibility that the FTP server (or the OS hosting it) is vulnerable to an exploit that can be used to potentially lead to more access than you thought. If it's that unused, why not just turn it off? – TripeHound Apr 24 '18 at 09:41
  • @TripeHound it's just a theoretical question, since I'm aware that FTP doesn't encrypt any data or even the login/password, so it's a really bad idea to use these days for anything where security or social engineering may be a concern. – user1306322 Apr 24 '18 at 12:47
3

Let's assume your FTP is purely FTP (not sFTP) and the server software has no vulnerabilities.

Even then the attacker could login, delete any files you might have. Or worse yet, upload new files. Imagine if those uploaded files were something illegal, like copyrighted material or worse child pornography. A quick report to the cops, and you'd find yourself in a heap of trouble very quick.

This is where an attacker randomly uploads files to your FTP server, and then reports you. Why anyone would do this is not the point -- what matters is that they can once they know your username/password.

Now, if the FTP software had vulnerabilities, then the attackers could start gaining access to your server itself. And run code-execution to mine Monero, or even ransomware the whole server. That said, only a small portion of FTP server vulnerabilities require authenticated access, in most cases they'd be able to exploit vulnerabilities without knowing your username/password. Another reason not to expose this to the internet unless you absolutely have to.

If it were sFTP (not just FTP), and the attacker got SSH access, they might be able to login to your server, and run a privilege escalation attack to get root on your server. From there the possibilities are endless. Even withourt priviledge access they might walk around your server and browse through more files than you'd like.

Just like anything else, exposing this to the internet is harmful, and if it's on port 21, you're probably just begging for trouble (IMHO).

keithRozario
  • 3,571
  • 2
  • 12
  • 24
0

This is highly dependant of the OS and FTP server, on the other softwares present on the servers, and on the other active ports (with a server listening them).

Once this is established, it also highly depend on the configuration of the FTP server. Is may be possible to only allow read only access on a limited set of folders, whatever credentials are presented, but full access to whole file systems is also possible. Extensions of the protocol can even allow to execute remote commands.

So IMHO, the only possible answer to your question is: if someone guess a password (an account) on you FTP server, it can do everything that the FTP server allows for that account. You may know, but I cannot. Not speaking of what compromission of the FTP server software could allow an attacker to do.

But AFAIK the most common attacks on FTP servers are:

  • theft of sensitive data
  • modification of files used by other servers to gain further priviledges on the machine
  • destruction of files essential for the OS or any other software
  • use of the FTP server as a relay to spread offensive of illegal files, with all the legal intrications behind that
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84