Server FTP attack from multiple IP addresses spanning 5 countries - how can this be?

Question

I recently had an FTP attack where 3 files were copied into public HTML directory of my domain. (It looks like the FTP password was compromised, but I'm still investigating this.) The strange thing is that the FTP log documented 5 separate IP addresses that were involved in the same attack. I checked the IPs shown in the log extract below. According to http://www.all-nettools.com/toolbox/smart-whois.php the IPs originate in Austria, Poland, Brazil, Israel and Sweden.

The 3 offending files are "mickey66.html", "mickey66.jpg", and "canopy37.html", - theyand you can see them in the log extra...

2010-06-17T21:24:02.073070+01:00 webserver pure-ftpd: (?@190.20.76.74) [INFO] kingdom is now logged in

2010-06-17T21:24:06.632472+01:00 webserver pure-ftpd: (?@77.250.141.158) [INFO] kingdom is now logged in

2010-06-17T21:24:07.216924+01:00 webserver pure-ftpd: (kingdom@77.250.141.158) [NOTICE] /home/kingdom//public_html/mickey66.html uploaded (80 bytes, 0.26KB/sec)

2010-06-17T21:24:07.364313+01:00 webserver pure-ftpd: (kingdom@77.250.141.158) [INFO] Logout.

2010-06-17T21:24:08.711231+01:00 webserver pure-ftpd: (?@78.88.175.77) [INFO] kingdom is now logged in

2010-06-17T21:24:10.720315+01:00 webserver pure-ftpd: (kingdom@78.88.175.77) [NOTICE] /home/kingdom//public_html/mickey66.jpg uploaded (40835 bytes, 35.90KB/sec)

2010-06-17T21:24:10.848782+01:00 webserver pure-ftpd: (kingdom@78.88.175.77) [INFO] Logout.

2010-06-17T21:24:18.528074+01:00 webserver pure-ftpd: (kingdom@190.20.76.74) [INFO] Logout.

2010-06-17T21:24:22.023673+01:00 webserver pure-ftpd: (?@85.130.254.227) [INFO] kingdom is now logged in

2010-06-17T21:24:23.470817+01:00 webserver pure-ftpd: (kingdom@85.130.254.227) [NOTICE] /home/kingdom//public_html/mickey66.html uploaded (80 bytes, 0.38KB/sec)

2010-06-17T21:24:23.655023+01:00 webserver pure-ftpd: (kingdom@85.130.254.227) [INFO] Logout.

2010-06-17T21:24:26.249887+01:00 webserver pure-ftpd: (?@95.209.254.137) [INFO] kingdom is now logged in

2010-06-17T21:24:28.461310+01:00 webserver pure-ftpd: (kingdom@95.209.254.137) [NOTICE] /home/kingdom//public_html/canopy37.html uploaded (80 bytes, 0.26KB/sec)

2010-06-17T21:24:28.760513+01:00 webserver pure-ftpd: (kingdom@95.209.254.137) [INFO] Logout.

I don't know what user is represented by the query sign (?), is this 'root'. Anyway can anyone shed any light on all this?

People still use FTP anymore? Especially people with access to FTP logs (and who know how to look). (The `?` just means they have not authenticated yet)... — ircmaxell, Jun 21 '10 at 16:28
I probably know just enough to make me dangerous ;-) I'm managing around 30 small sites and what else can I do? — , Jun 21 '10 at 17:45
If you have the ability, use SCP over SSH. It's FAR more secure... — ircmaxell, Jun 21 '10 at 17:54

score 2 · Accepted Answer · answered Jun 21 '10 at 16:29

2

A very small bot-net? ;-)

Likely to be coming from other compromised machines, rather than from the kiddies own IP.

Have a look at fail2ban and denyhosts.

Mind you, FTP is a terrible service to be running unless you really really need to. Subversion or similar is a better way of maintaining a website, at least use secure copy over SSH if you need to do unversioned uploads.

answered Jun 21 '10 at 16:29

Pete

301
1
4

I've just started using Subversion for development but don't know much more than commit, update, revert, update - I don't know how this would be more secure. I think export from repos and upload by FTP - better way please? – Jun 21 '10 at 17:49
Install subversion *client* on the webserver. Make changes on your local machine. Check them in. SSH in to the webserver, and update the source from the repo direct to the server. No need for FTP or other service, plus you have versioning, rollback, etc. when something goes wrong. – Jun 21 '10 at 18:42
You should still run denyhosts or similar to protect the SSH login though. Using a key based login is also better than a password. – Jun 21 '10 at 18:45
How is the HTML/PHP depoyed from the svn client on the remote server? When you say "update ... direct to the server" does that mean to an svn repos on the remote server? Do you have to export from remote repos to "unpack" the files? (sorry for the dumb question - very new to svn) – Jun 21 '10 at 18:49
No, usually the repository is on a different server. To initially download from a repository, use the `checkout` command. – Jun 21 '10 at 19:00
So it goes: your machine -> repository , then: web server <- repository – Jun 21 '10 at 19:01
Wow, we're miles of topic... but thanks! – Jun 21 '10 at 20:10

score 1 · Answer 2 · answered Jun 21 '10 at 16:29

1

They're probably using open proxy servers.

answered Jun 21 '10 at 16:29

Gert G

121
2

So you think they are running a script that utilises open proxy servers to FTP from a single machine using 5 different IP addresses? – Jun 21 '10 at 20:15
Yes, that might be it. It wouldn't be a too hard for the attacker to just switch the proxy IP and do a new attack. – Gert G Jun 21 '10 at 20:37

score 0 · Answer 3 · answered Jun 21 '10 at 16:30

0

Sounds like your server was had by a botnet

answered Jun 21 '10 at 16:30

Jubal

160
6

score 0 · Answer 4 · answered Jun 23 '10 at 06:23

0

rather than a botnet, the FTP user/password (which was definitely compromised based on the logs you've provided), was passed on IRC and several hackers that have compromised boxes around the net are running their scripts that automatically deface and add remote shells to machines.

answered Jun 23 '10 at 06:23

karmawhore

3,865
17
9

Its a mystery how the password was compromised. It was a 12 digit strong password and I have only used FTP to this account maybe a couple of times ever and not in the last 3 months - I'm the only one with the details and there is only one FTP account. Also I have had no malware/virus on my workstation. – Owen Jun 23 '10 at 07:53
It was leaked somewhere. Your logs show they used your FTP username/password (unless they rooted the box and modified the FTP client to allow any password to validate). Since you believe the password is secure, and you've logged in since then, we can assume that the hackers didn't change the password. FTP is also able to be sniffed since the authentication challenge/response is sent in the clear. Some hosting companies store user/password information in their database in the clear in their database. Same with some control panels. – karmawhore Jun 23 '10 at 16:57
It is now looking like a Gumblar type virus on a machine in the local network... I think this virus can sniff FTP packets coming from a 'clean' workstation. – Owen Jun 26 '10 at 13:21

Server FTP attack from multiple IP addresses spanning 5 countries - how can this be?

4 Answers4