How is it possible for a person to upload files to a site they don't have credentials to?

2

A little while ago I got this email:

hi there,
i am [name], security expert.

your website is not secured. you use a weak password. and you didnt install security to     prevent hacking/malware attacks.
as proof, i upload a file: http://[site]/1337[name].html
dont worry. i didnt edit/change/delete anything of your wesbite. feel free to contact with me to fix security issue. 

cheers
[name]

I checked and the file is there with the content:

hi, i upload this file to proof that your website is not secure. please check your email. 
cheers

This reeks of scam and phishing (particularly the bad english), but I am spooked that this file I didn't create is up on my server.

For reference, I am using a GoDaddy shared hosting server with SSH enabled, and running a Wordpress site with a bunch of subdirectories which have various website personal projects I've worked on, a number using PHP for database (and old Facebook SDK) connections. The file appears to be created by my FTP user.

How is it possible that this person put a file up on my site? How can I patch this security hole? I have already changed my (S)FTP password.

Esaevian

Posted 2014-02-04T18:57:55.773

Reputation: 121

Question was closed 2014-02-05T16:57:12.997

Have you contacted Godaddy? There is no way to answer your question as asked - not enough info. I suspect it will be closed. – Xavierjazz – 2014-02-04T19:05:13.070

You're saying there are no common security holes for the setup I posted? If that's the case I'll close it myself. – Esaevian – 2014-02-04T19:06:53.773

1@Esaevian - There are tons of security issues with your current setup. You don't indicate how long the password was. You didn't indicate if your running the curren version of Wordpress. The person clearly got access to your ftp account. You should consider this to be a real threat. You could always contact the person and have them explain. If they won't tell you for free then disregard anything they ahve to say and handle the problem yourself. – Ramhound – 2014-02-04T19:14:17.893

Definitely looks like a phishing scam to me. Often an attacker will do something like this in order to phish more data from you. The fact that it states you use a weak password could indicate that they already know what it is, and they uploaded a file normally. GoDaddy has really bad security and their customer service agents give out privileged information to clever phishers. "How I lost my $50,000 twitter account."

– malfy – 2014-02-04T19:14:35.707

@malfy - GoDaddy's account web security itself is fine. They support 2-factor authentication for instance. The fact an employee was tricked into doing something is a slightly different kind of problem. – Ramhound – 2014-02-04T19:16:43.190

@Ramhound Fair enough. I'll close the question and deal with this myself. – Esaevian – 2014-02-04T19:29:58.207

Whatever this isn't a discussion board to argue about GoDaddy's services. The fact still remains that they have poor security. Maybe not at the software level, but as far as training their employees, they have failed. – malfy – 2014-02-04T19:31:35.057

@Esaevian - The important thing to note is the following. DO NOT GIVE UP ANY INFORMATION. You are either dealing with a honest person or you are trying to be scammed. If you ask for more information ( not saying you should ) it should be FREE. – Ramhound – 2014-02-04T19:31:36.103

@malfy - GoDaddy isn't the first huge company to be socially engineered in this way. – Ramhound – 2014-02-04T19:32:36.090

@Ramhound Thanks. I am sort of worried about the information I am giving just by responding, but I guess that's what spam filters are for. – Esaevian – 2014-02-04T19:33:02.013

@Esaevian - He already has your email. What additional information are you giving out? Your domain whois has more information then you might realize out in the public. – Ramhound – 2014-02-04T19:35:13.180

If you have wordpress setup to upload its content via your ftp username, it's likely they exploited a wordpress vulnerability. – malfy – 2014-02-04T19:35:55.330

Is your site set to allow anonymous FTP connections? – Scorpion99 – 2014-02-04T19:46:00.223

@Ramhound, that the email is actually an active email, and not just a black hole. Also the email they contacted me at is not the email on the domain whois, nor on the website itself. – Esaevian – 2014-02-04T19:46:28.343

@Scorpion99 Nope. I don't even have the option. – Esaevian – 2014-02-04T19:47:03.233

1Please don't use comments for chatting or extended discussion. At this point I suggest you better take this to [chat]. Thanks – slhck – 2014-02-04T19:47:51.377

You should post this question on security.stackexchange; they may have useful insight and suggestions. Include WP versions and info on whether your php userids are distinct from your ftp userid. – mgkrebbs – 2014-02-04T19:49:13.083

@mgkrebbs If at all, the OP should have the question migrated there, and not post again. – slhck – 2014-02-04T20:08:44.947

@slhck, that might be true, especially to preserve this wonderful sequence of comments, but it would require that someone with the power to migrate the question would recognize that this web server security question doesn't fit Superuser and does fit Security, and actually take action to migrate it. – mgkrebbs – 2014-02-04T20:19:58.413

Answers

2

Someone can change files on your server without having any of your passwords. Injection attacks like this are very popular.

Make sure your Wordpress and PHP installations are up to date.It is also possible that you have a vulnerability in a plugin or theme. Make sure they are up to date as well, and be sure to disable any plugins/themes you don't need.

Alex McKenzie

Posted 2014-02-04T18:57:55.773

Reputation: 1 559

Asked: 2014-02-04T18:57:55.773

Viewed: 97 times

Active: 2014-02-04T19:08:32.147