Results 1 to 6 of 6

Thread: FTP Hacks

  1. #1
    Registered Member
    Join Date
    Aug 2002
    Posts
    1,185

    Default FTP Hacks

    I am starting to see a few FTP hacks on our servers. This is where someone logs into the FTP account and downloads the index.htm file on the account, places malicious javascript code in the file and reuploads it. I'm seeing this on maybe 4 or 5 accounts a week on our servers.

    First, I have to ask if this is perhaps a new vulnerability in pure-ftpd? I don't think it is, because I'm not seeing enough exploits to really point to this being a widespread problem.

    I suspect that this has to do with the thread at:

    http://forums.cpanel.net/showthread.php?t=62821

    but that thread is a few years old. I haven't read through all of the thread, but from what I gather on this thread is that the problem is related to keyloggers and trojans being installed on the client's personal computer. I figure that this is the case with what I am experiencing. Is the Mpack exploit still being used as it is referenced in that thread? Is the Mpack exploit still undetectable? Is it another exploit, maybe something newer than Mpack?

    I suppose my main question regarding this, if a client's personal computer is infected with something, what type of scanner do they need to run on their computer to show the infection? Will AVG or Avast report this exploit? I am looking for some way to show and prove to the user that their personal computer is infected.

  2. #2
    Technical Product Specialist cPanelDavidG's Avatar
    Join Date
    Nov 2006
    Location
    Houston, TX
    Posts
    11,290
    cPanel/WHM Access Level

    Root Administrator

    Default

    Quote Originally Posted by sparek-3 View Post
    I am starting to see a few FTP hacks on our servers. This is where someone logs into the FTP account and downloads the index.htm file on the account, places malicious javascript code in the file and reuploads it. I'm seeing this on maybe 4 or 5 accounts a week on our servers.

    First, I have to ask if this is perhaps a new vulnerability in pure-ftpd? I don't think it is, because I'm not seeing enough exploits to really point to this being a widespread problem.

    I suspect that this has to do with the thread at:

    http://forums.cpanel.net/showthread.php?t=62821

    but that thread is a few years old. I haven't read through all of the thread, but from what I gather on this thread is that the problem is related to keyloggers and trojans being installed on the client's personal computer. I figure that this is the case with what I am experiencing. Is the Mpack exploit still being used as it is referenced in that thread? Is the Mpack exploit still undetectable? Is it another exploit, maybe something newer than Mpack?

    I suppose my main question regarding this, if a client's personal computer is infected with something, what type of scanner do they need to run on their computer to show the infection? Will AVG or Avast report this exploit? I am looking for some way to show and prove to the user that their personal computer is infected.
    While that thread is old, it is still an active thread and the attack vector mentioned (vulnerable customer workstations) continues to be an issue. There were two inter-related presentations from the 2008 cPanel Conference that discuss this issue in great depth:

    http://www.cpanel.net/conference/08/...ngSecurity.pdf

    http://www.cpanel.net/conference/08/...zedThreats.pdf

    As far as showing the user that their PC is infected, I recommend a combination of a virus scanner and an adware scanning application.

  3. #3
    Registered Member
    Join Date
    Aug 2002
    Posts
    1,185

    Default

    Any recommended Anti-Virus and adware applications that detect a lot of these? Preferably something that is free, since it is easier to tell customers to use a free product.

    I normally recommend AVG and Adaware, but are there any others that are better?

  4. #4
    Technical Product Specialist cPanelDavidG's Avatar
    Join Date
    Nov 2006
    Location
    Houston, TX
    Posts
    11,290
    cPanel/WHM Access Level

    Root Administrator

    Default

    Quote Originally Posted by sparek-3 View Post
    Any recommended Anti-Virus and adware applications that detect a lot of these? Preferably something that is free, since it is easier to tell customers to use a free product.

    I normally recommend AVG and Adaware, but are there any others that are better?
    cPanel, Inc. does not have any official recommendations for anti-virus or adware detection applications at this time.

    I personally have used Adaware, Spyware Search and Destroy as well as ClamAV for Windows and AVG. Some of my friends speak highly of Avast, but I have not yet used that application myself. All of these products I mentioned do have free versions that are publicly available on the Windows platform.

  5. #5
    cPanel Product Evangelist Infopro's Avatar
    Join Date
    May 2003
    Location
    Pennsylvania
    Posts
    11,378
    cPanel/WHM Access Level

    Root Administrator

    Thumbs up

    You can check your PC at this URL for free. http://safety.live.com

  6. #6
    Registered Member
    Join Date
    Nov 2002
    Posts
    153

    Default

    norton do a free security scanner that can be downloaded. It finds virus/malware but does not remove it. It is still a good scanner and at least lets the customer know they have a virus.

    A combination of norton, avast & superantispyware is a decent free option.

    I had 3 accounts hacked this morning on 3 different servers. I have found since sept 2008 that these hacks are always due to a virus on the users pc. Resellers are the biggest risk because if they get a virus then any customers passwords they have are all leaked.

Similar Threads

  1. Prevent Hacks?
    By H4CK3R in forum Security
    Replies: 14
    Last Post: 03-05-2012, 07:24 AM
  2. Replies: 123
    Last Post: 06-17-2010, 09:07 PM
  3. Replies: 98
    Last Post: 12-22-2009, 10:44 PM
  4. Add hacks
    By randy2008 in forum cPanel Developers
    Replies: 1
    Last Post: 01-09-2005, 12:30 AM
  5. Attempted Hacks?????
    By awsol in forum General Discussion
    Replies: 3
    Last Post: 05-12-2002, 07:06 AM
bargain