FTP Hacker

[sallen812]

It looks like I have a hacker getting into my C-panel server.

Here is the Var/log/messages section that logs the Pure ftp session. Is there a way to stop this?

Jun 24 04:01:37 server pure-ftpd: (?@59.93.71.35) [INFO] New connection from 59.93.71.35
Jun 24 04:01:38 server pure-ftpd: (?@59.93.71.35) [INFO] sallenus is now logged in
Jun 24 04:01:41 server pure-ftpd: (sallenus@59.93.71.35) [INFO] Logout.
Jun 24 04:01:44 server pure-ftpd: (?@89.36.138.87) [INFO] New connection from 89.36.138.87
Jun 24 04:01:44 server pure-ftpd: (?@89.36.138.87) [INFO] sallenus is now logged in
Jun 24 04:01:46 server pure-ftpd: (sallenus@89.36.138.87) [NOTICE] /home/sallenus//public_html/index.php downloaded (872 bytes, 50.85KB/sec)
Jun 24 04:01:46 server pure-ftpd: (sallenus@89.36.138.87) [INFO] Logout.
Jun 24 04:01:54 server pure-ftpd: (?@202.150.113.249) [INFO] New connection from 202.150.113.249
Jun 24 04:01:56 server pure-ftpd: (?@202.150.113.249) [INFO] sallenus is now logged in
Jun 24 04:02:04 server named[12119]: lame server resolving '21.229.108.59.in-addr.arpa' (in '229.108.59.in-addr.arpa'?): 219.232.48.62#53
Jun 24 04:02:05 server pure-ftpd: (sallenus@202.150.113.249) [NOTICE] /home/sallenus//public_html/index.php uploaded (950 bytes, 0.28KB/sec)
Jun 24 04:02:06 server pure-ftpd: (sallenus@202.150.113.249) [INFO] Logout.
Jun 24 04:02:09 server pure-ftpd: (?@75.187.192.237) [INFO] New connection from 75.187.192.237
Jun 24 04:02:10 server pure-ftpd: (?@75.187.192.237) [INFO] sallenus is now logged in
Jun 24 04:02:12 server pure-ftpd: (sallenus@75.187.192.237) [NOTICE] /home/sallenus//public_html/html/index.html downloaded (1370 bytes, 30.04KB/sec)
Jun 24 04:02:12 server pure-ftpd: (sallenus@75.187.192.237) [INFO] Logout.
Jun 24 04:02:15 server pure-ftpd: (?@88.109.5.212) [INFO] New connection from 88.109.5.212
Jun 24 04:02:16 server pure-ftpd: (?@88.109.5.212) [INFO] sallenus is now logged in
Jun 24 04:02:18 server pure-ftpd: (sallenus@88.109.5.212) [NOTICE] /home/sallenus//public_html/html/index.html uploaded (1449 bytes, 4.79KB/sec)
Jun 24 04:02:18 server pure-ftpd: (sallenus@88.109.5.212) [INFO] Logout.
Jun 24 04:02:21 server pure-ftpd: (?@75.187.192.237) [INFO] New connection from 75.187.192.237
Jun 24 04:02:21 server pure-ftpd: (?@75.187.192.237) [INFO] sallenus is now logged in
Jun 24 04:02:23 server pure-ftpd: (sallenus@75.187.192.237) [NOTICE] /home/sallenus//public_html/suspended.page/index.html downloaded (3494 bytes, 69.96KB/sec)
Jun 24 04:02:24 server pure-ftpd: (sallenus@75.187.192.237) [INFO] Logout.
Jun 24 04:02:26 server pure-ftpd: (?@91.64.208.10) [INFO] New connection from 91.64.208.10
Jun 24 04:02:27 server pure-ftpd: (?@91.64.208.10) [INFO] sallenus is now logged in
Jun 24 04:02:29 server pure-ftpd: (sallenus@91.64.208.10) [NOTICE] /home/sallenus//public_html/suspended.page/index.html uploaded (3561 bytes, 7.29KB/sec)
Jun 24 04:02:30 server pure-ftpd: (sallenus@91.64.208.10) [INFO] Logout.
Jun 24 04:02:32 server pure-ftpd: (?@86.20.64.110) [INFO] New connection from 86.20.64.110
Jun 24 04:02:33 server pure-ftpd: (?@86.20.64.110) [INFO] sallenus is now logged in
Jun 24 04:02:35 server pure-ftpd: (sallenus@86.20.64.110) [NOTICE] /home/sallenus//public_html/themes/engines/phptemplate/default.tpl.php downloaded (128 bytes, 5.42KB/sec)
Jun 24 04:02:35 server pure-ftpd: (sallenus@86.20.64.110) [INFO] Logout.
Jun 24 04:02:38 server pure-ftpd: (?@92.84.250.31) [INFO] New connection from 92.84.250.31
Jun 24 04:02:38 server pure-ftpd: (?@92.84.250.31) [INFO] sallenus is now logged in
Jun 24 04:02:41 server pure-ftpd: (sallenus@92.84.250.31) [NOTICE] /home/sallenus//public_html/themes/engines/phptemplate/default.tpl.php uploaded (238 bytes, 0.83KB/sec)
Jun 24 04:02:41 server pure-ftpd: (sallenus@92.84.250.31) [INFO] Logout.

[Infopro]

Have you changed your passwords to something much stronger and scanned your PC?

[mtindor]

Pretty interesting how that is done. Multiple different IP addresses accessing the same account within seconds, each accessing/modifying a different page.

I hesitate to say that's from a full fledged botnet, but it's likely from multiple compromised machines being controlled from an IRC channel or some other distributed remote means.

Somebody issues a command to log in and change files, and all applicable participants act immediately.

It is likely that this isn't actually the first time that account has been breached. It probably was breached initially - and during that time no directory listing or other activity was likely done. Just a quick login/logout to verify that it can be accessed. Then they sit on it for a while (perhaps weeks or more) without making use of it (so you have no reference left on your server in the logfiles from the previous access). Then they pounce and have it do a quickchange of your various html/php pages.

They probably added additional malicious javascript code to each of those pages, or an iframe or something.

Like Infopro said - change your password for that account immediately - to something that is very strong. Set up your Cpanel to require strong passwords across the board.

Go through all of your FTP logs for the past month (or as long as you have them) and look around for strangeness. If you see a group of accounts being accessed in quick succession by the same IP, then you can assume that somebody got a hold of your passwd/shadow files and brute force broke the weak passwords. IF this were the case, you'd want to implement that secure password policy within Cpanel and then change every current account's password as quick as possible to something that is secure.

It may be isolated [it most often is], but I have seen it where obviously somebody got a hold of the passwd/shadow files on the server, spent a long time cracking as many easy passwords as they could, then many months later pounced on multiple accounts at once.

Mike

[bjdea1]

There are a lot of hackers sniffing FTP network traffic lately.

Since FTP transmits usernames and passwords in plain text over the network, hackers are able to sniff (discover/steal) your clients usernames and password and store them in databases. They can then simply FTP into your users accounts, using mass FTP bots to modify thousands of webpages worldwide.

The best and only solution we found was to force SECURE FTP, in our case we chose FTPES (emplicit secure FTP). This then makes all FTP data transmitted over networks in encrypted format. That way hackers can't sniff your clients usernames and passwords.

PureFTP can be setup in WHM to ONLY ALLOW secure FTP connections. This is what we have done, now our users can only connect via FTPES (secure FTP).

Filezilla and FireFTP are both FREE FTP Clients and both support FTPES (FTP TLS), many more free FTP clients will include support for secure FTPES soon too.

I want to get this message out because this is one of the biggest security threats on the internet atm. Everyone should make their FTP server accept secure FTP connections only. As soon as we switched all our servers over to ONLY FTPES, all hacking activity completely stopped.

[sallen812]

Looks like one of my PC with FileZIlla got hacked. All passwords have been changed and the problem has stopped.

Thanks for the replies

Steven

[Stefaans]

This sounds exactly like the IFRAME hacks that have been discussed on this forum. Your computer gets infected with a trojan when viewing a hacked page (and you download something?). The trojan transmits your FTP passwords back to the hacker whenever you use FileZilla or other FTP client. The hacker then uses a network of infected computers to modify the web pages to plant more IFRAME hacks...

Sallen812, changing your FTP passwords will solve the problem, but only if you are 100% sure that your computer is virus free.

[whplus]

‘force’ all users to connect via FTP over TLS.

[bjdea1]

yes exactly this is the best solution. We have implemented it and our clients have accepted it. Now all the past security problems have completely stopped. I want others to do this also so the old FTP protocol can be dumped, its very insecure.

[Spiral]

Quote:

Originally Posted by Stefaans

This sounds exactly like the IFRAME hacks that have been discussed on this forum. Your computer gets infected with a trojan when viewing a hacked page (and you download something?). The trojan transmits your FTP passwords back to the hacker whenever you use FileZilla or other FTP client. The hacker then uses a network of infected computers to modify the web pages to plant more IFRAME hacks...

Sallen812, changing your FTP passwords will solve the problem, but only if you are 100% sure that your computer is virus free.

Thank you, Stefaans!

I'm getting tired of the "oh my $@$@ server hacked" posts everywhere!

Yes, as Stefaans summarized, there is a group of hackers operating out of China
right now who is getting their password via the use of trojans on the user's
own computers at home and NOT the servers or data centers where
their web hosting accounts are located.

It is important to note a few things:

1. Unless you totally clean your home computer of these trojan viruses,
any password changes you do at your hosting company will not work
because the hackers will be updated to your new password.

2. The hacking group is not only collecting web hosting information from
your computer at home but also banking login information as well and
if you logged into your bank from an infected home computer, they
likely have your bank login as well and there have been reports of
unauthorized bank transfers being made in various places already.

If you suspect your computer is infected, get the latest updates to one
of the top 5 antivirus programs and run full scans on your computer along
with the latest updates from a good trojan detection tool such as Spy Doctor
or if that is out of reach, at least SpyBot:Search and Destroy and try to
confirm your computer is completely clean and if it were me, I would go
ahead and change all my web hosting and bank passwords yet again after
doing all the local computer scans just to be sure.

[Silver_2000]

Quote:

Originally Posted by whplus

‘force’ all users to connect via FTP over TLS.

Assuming I understand this correctly

That only secures the password in transit - if the users PC is compromised and the passwords are saved then TLS in this case doesnt help

[Spiral]

Quote:

Originally Posted by Silver_2000

Assuming I understand this correctly

That only secures the password in transit - if the users PC is compromised and the passwords are saved then TLS in this case doesnt help

Correct! The current exploit attack heavily in the wild right now involves
keylogging, packet capturing, and file analysis from the victim's own
home computer.

Doesn't really matter what you do aside from implementing a one time
keypad on the server side because as long as the user is infected, the
hacking group behind this will know how to login and it does not matter
if you force secure FTP, using only certificates, or anything else.

A lot of people erroneously believe right now that FTP is being hacked
because they don't know what is really going on and making bad assumptions
and then through those same bad assumptions recommending you switch
your FTP software or disable FTP and go to secure FTP or implement some
encryption method which is already by definition compromised already as
long as the end user is still able to login from their home computer.

Best action at the moment for anyone found infected is to suspend their
accounts or change their passwords to prevent the home user from being
able to login themselves until they can disinfect their home computers!

[Silver_2000]

One step that might help is if your server can support it - a little help will come from banning IPs from the affected countries

I know that it isnt a perfect solution since the abusers can spoof ips and use proxies - but my server ONLY serves US Canada and northern Europe Ive blocked many of the suspect countries by IP at the firewall.

A number of years back ( 5 ) the server that I shared at that time was compromised with Iframe injection attacks. That server was behind on kernel updates and had a number of other weaknesses.
Do everything and anything you can to protect yourself from these problems. Firewall, ip blocks, port scanning detection, LFD detection etc

One final note - if you are on shared hosting, meaning you are on a VPS or one of thousands of accounts on a server that advertises as "unlimited everything" for $3 a month. You are then subject to the weaknesses that such a monster server has to be configured for. You are getting what you pay for. If anyone of your "roommates" on that server gets exploited then your site is more likely to be effected by that exploited neighbor.

[otho232]

i too had a smiliar sometime back and i have consulted a specialist

[eth00]

My money is not on anything being wrong with the server but instead Gumblar virus: Stolen FTP Credentials Key to Gumblar Attack | Malware Blog | Trend Micro

we have seen a LOT of clients have trouble with this, though recently not nearly as many as in the past

[ramzex]

Crap!

This is not the iframe method!
We had exact same issues our our customers webservers.
We have investigated this issue and found the following:

1. A php shell script (which contain numerous php/apache/zend vulnerabilities) has been uploaded trough a XSS attack.

2. Script has been used to gather usernames from the servers.

3. Script has modified the passwords of the accounts located in /etc/passwd

4. Hackers connected from different IPs to the FTP accounts and uploaded/deleted files.

Solution:
1. Upgrade to Apache 2.2 with latest PHP versions! (a must)! and compile with suhosin, suphp, suexec!

2. Install mod_Security from cpanel addons!

3. Install mod_security rules from gotroot.com (they have a free rules download also).

4. Install clamv addon from cpanel.

5. Forbid the following functions in php:

Quote:

exec,popen,pclose,ini_set,php_eval,safe_dir,zend,g lob,root,chdir,ftok,posix_access,egy_perl,symlink, set_time_limit,ini_restore, shell_exec, passthru, error_log, ini_alter, dl, openlog, syslog, readlink, symlink, link, leak, popen, escapeshellcmd,proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, escapeshellarg, pcntl_exec, exec, passthru, popen, wscript, curl_exec,apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode,realpath

Please note that some functions like realpath or chdir may be used by some websites.

5. Enable FTP TLS Encryption Support as Required!

6. Change your SSH port to something else.

7. Enable Brute-Force protection.

8. Install firewall.

We found that the shell scripts uploaded were base64 encoded.

Use this search command in ssh to find files that are base64 encoded and take a look at them as they may be backdoors:

Quote:

find /home -type f -print0 -name "*.php*" | xargs -0 grep -l "eval(gzinflate(base64_decode"

Replace "/home" with your path.

Also find files that are using php command: "posix_getpwuid" as this is how they list the server's usernames!

There are other vulnerabilities with zend also!
Even if you enable Safe Mode in PHP they can still list /etc/passwd or any other system file even though Open_basedir restriction is enabled.
We are still investigating this and I will update you as soo as we have a solution.

Also we found another Perl script that came with the shell code above.
It uses the symlink() function to create symlink into vulnerable account to any other account or directory in server. this way they have access to everything.

If someone has more ideas how to secure the server againts these vulnerabilities please let us know.

I will also keep you updated.

Thanks.