1

Some of the sites that I work with was compromised a while ago, I requested the FTP logs from the hosting company and they provided me with this:

ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:02 -0400] - - "STOR //t2TdyX8f.gif (/somesite.com/public/t2TdyX8f.gif)" - - "226" "10" "0.176"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:02 -0400] - - "DELE //t2TdyX8f.gif (/somesite.com/public//t2TdyX8f.gif)" - - "250" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:03 -0400] - - "DELE //t2TdyX8f.gif (/somesite.com/public//t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:04 -0400] - - "DELE //t2TdyX8f.gif (/somesite.com/public//t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:04 -0400] - - "DELE //t2TdyX8f.gif (/somesite.com/public//t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:05 -0400] - - "DELE //t2TdyX8f.gif (/somesite.com/public//t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:06 -0400] - - "DELE //t2TdyX8f.gif (/somesite.com/public//t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:06 -0400] - - "DELE //t2TdyX8f.gif (/somesite.com/public//t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:07 -0400] - - "STOR //images/t2TdyX8f.gif (/somesite.com/public/images/t2TdyX8f.gif)" - - "226" "0" "0.163"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:07 -0400] - - "DELE //images/t2TdyX8f.gif (/somesite.com/public//images/t2TdyX8f.gif)" - - "250" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:08 -0400] - - "DELE //images/t2TdyX8f.gif (/somesite.com/public//images/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:08 -0400] - - "DELE //images/t2TdyX8f.gif (/somesite.com/public//images/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:09 -0400] - - "DELE //images/t2TdyX8f.gif (/somesite.com/public//images/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:09 -0400] - - "DELE //images/t2TdyX8f.gif (/somesite.com/public//images/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:10 -0400] - - "DELE //images/t2TdyX8f.gif (/somesite.com/public//images/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:10 -0400] - - "DELE //images/t2TdyX8f.gif (/somesite.com/public//images/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:11 -0400] - - "STOR //pdf/t2TdyX8f.gif (/somesite.com/public/pdf/t2TdyX8f.gif)" - - "226" "0" "0.165"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:12 -0400] - - "DELE //pdf/t2TdyX8f.gif (/somesite.com/public//pdf/t2TdyX8f.gif)" - - "250" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:12 -0400] - - "DELE //pdf/t2TdyX8f.gif (/somesite.com/public//pdf/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:13 -0400] - - "DELE //pdf/t2TdyX8f.gif (/somesite.com/public//pdf/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:13 -0400] - - "DELE //pdf/t2TdyX8f.gif (/somesite.com/public//pdf/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:14 -0400] - - "DELE //pdf/t2TdyX8f.gif (/somesite.com/public//pdf/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:14 -0400] - - "DELE //pdf/t2TdyX8f.gif (/somesite.com/public//pdf/t2TdyX8f.gif)" - - "550" "-" "-"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:15 -0400] - - "DELE //pdf/t2TdyX8f.gif (/somesite.com/public//pdf/t2TdyX8f.gif)" - - "550" "-" "-"
.
.
.
.
.
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:40 -0400] - - "RETR //index.phtml (/somesite.com/public/index.phtml)" - - "226" "531" "0.234"
ftp.somesite.com 64.29.xxx.xxx 87.236.xxx.xxx[09/Jul/2012:13:37:41 -0400] - - "STOR //index.phtml (/somesite.com/public/index.phtml)" - - "226" "757" "0.173"

As you can see in the logs, the intruder first tries to upload a file, then tries to delete it 7 times, the first time the file is deleted the server returns 250, the next consecutive times it returns 550.

He does this 3 times, I think he is testing something or maybe exploiting a vulnerability in FTP server.

Then he starts downloading bunch of files, and when it downloads index.phtml, he modifies it and uploads and overwrites it.

He puts some javascript code, in index.phtml, and he moves to the next site we host on that server.

So it is clear that the intruder has some form of ftp access to the server, there are at least two possibilities,

1- The ftp server has a vulnerability

2- He knows our passwords, maybe he is sniffing data from our network, or has hacked into one of our computers here or something like that?

I used nmap to try to find the version and type of the ftp server, here are the results:

nmap -A -p 21 ftp.somesite.com
Starting Nmap 5.51 ( http://nmap.org ) at 2012-09-06 11:52 EDT
Nmap scan report for ftp.somesite.com (64.29.xxx.xxx:)
Host is up (0.058s latency).
rDNS record for 64.29.xxx.xxx: websixxxxsc2x.xarxxxxxx.com
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.2.8 - 1.2.9
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
Service Info: OS: Unix

I searched for security volnurabilities of ProFTPD 1.2.8 and found this, other than this at this point I have no idea how to proceed, to make sure this doesn't happen again.

user893730
  • 363
  • 1
  • 4
  • 6
  • 3
    Regardless of anything else, FTP does have an inherent vulnerability - it sends authentication data (and everything else, for that matter) in the clear. So, anyone with access to your network traffic could easily sniff the passwords. I suggest finding an alternative, more secure means of transferring and sharing your data, if possible. – Iszi Sep 07 '12 at 14:30
  • Three possibilities: "Anonymous FTP login allowed" - just because nmap didn't get a directory listing doesn't mean that there's no need to check what an anonymous user can do. – symcbean Sep 07 '12 at 15:59
  • @symcbean Good point, I did log in with Anynymous ftp, I received the same message, you end up jailed in / directory which is empty, you can't list, can't upload. I wish the logs were telling me what username was used in this ftp session, but they do not. – user893730 Sep 07 '12 at 19:48
  • @Iszi, another good point. But is there a way I could find out whether or not someone is actually sniffing our passwords or not? The IP used in this attack was from Europe, my main concern is what to do next. We do have the option of using sftp, and we will make that a policy. – user893730 Sep 07 '12 at 19:49
  • 2
    Unless you have particular motivation to track down the attacker for prosecution, I'd say switch the server over to SFTP (including disabling cleartext FTP entirely), change all your FTP account passwords, and be done with it. – Iszi Sep 07 '12 at 19:52

1 Answers1

6

It sounds like you are using shared hosting, so I am not sure what your forensic abilities are at this point. If you have access to the network or the hosting company is working with you, you may be able to setup some additional monitoring to see if this attacker is doing anything else on your network. However, if he is intercepting traffic outside of the hosting environment it will be very hard to track him down.

If you know the IP address you should be able to look up who owns the IP and maybe contact the attacker's ISP or check if its on a blacklist.

Beyond this, you should implement some form of secure FTP and disable plain old FTP. You can try SFTP (SSH FTP) or FTP/S (FTP over SSL). I would also recommend implementing key based authentication in addition to password authentication. Make sure you do not allow weak encryption on the SFTP server either. Also, you should change the access passwords on a regular basis. By securing and changing the password frequently, you reduce the ability for an outside attacker to compromise your system.

Another possibility if this is also a web server that the web server was compromised and some configuration file has the credentials stored within it. I would check for this as well and set different passwords for your web server to connect and for users to connect.

Eric G
  • 9,691
  • 4
  • 31
  • 58