1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FTP Hacks

Discussion in 'General Discussion' started by sparek-3, Apr 13, 2009.

  1. sparek-3

    sparek-3 Active Member

    Joined:
    Aug 10, 2002
    Messages:
    1,217
    Likes Received:
    4
    Trophy Points:
    38
    I am starting to see a few FTP hacks on our servers. This is where someone logs into the FTP account and downloads the index.htm file on the account, places malicious javascript code in the file and reuploads it. I'm seeing this on maybe 4 or 5 accounts a week on our servers.

    First, I have to ask if this is perhaps a new vulnerability in pure-ftpd? I don't think it is, because I'm not seeing enough exploits to really point to this being a widespread problem.

    I suspect that this has to do with the thread at:

    http://forums.cpanel.net/showthread.php?t=62821

    but that thread is a few years old. I haven't read through all of the thread, but from what I gather on this thread is that the problem is related to keyloggers and trojans being installed on the client's personal computer. I figure that this is the case with what I am experiencing. Is the Mpack exploit still being used as it is referenced in that thread? Is the Mpack exploit still undetectable? Is it another exploit, maybe something newer than Mpack?

    I suppose my main question regarding this, if a client's personal computer is infected with something, what type of scanner do they need to run on their computer to show the infection? Will AVG or Avast report this exploit? I am looking for some way to show and prove to the user that their personal computer is infected.
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,288
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Houston, TX
    While that thread is old, it is still an active thread and the attack vector mentioned (vulnerable customer workstations) continues to be an issue. There were two inter-related presentations from the 2008 cPanel Conference that discuss this issue in great depth:

    http://www.cpanel.net/conference/08/files/SharedHostingSecurity.pdf

    http://www.cpanel.net/conference/08/files/SystemizedThreats.pdf

    As far as showing the user that their PC is infected, I recommend a combination of a virus scanner and an adware scanning application.
     
  3. sparek-3

    sparek-3 Active Member

    Joined:
    Aug 10, 2002
    Messages:
    1,217
    Likes Received:
    4
    Trophy Points:
    38
    Any recommended Anti-Virus and adware applications that detect a lot of these? Preferably something that is free, since it is easier to tell customers to use a free product.

    I normally recommend AVG and Adaware, but are there any others that are better?
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,288
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel, Inc. does not have any official recommendations for anti-virus or adware detection applications at this time.

    I personally have used Adaware, Spyware Search and Destroy as well as ClamAV for Windows and AVG. Some of my friends speak highly of Avast, but I have not yet used that application myself. All of these products I mentioned do have free versions that are publicly available on the Windows platform.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    12,125
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    Pennsylvania
  6. simplybe

    simplybe Member

    Joined:
    Nov 29, 2002
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    16
    norton do a free security scanner that can be downloaded. It finds virus/malware but does not remove it. It is still a good scanner and at least lets the customer know they have a virus.

    A combination of norton, avast & superantispyware is a decent free option.

    I had 3 accounts hacked this morning on 3 different servers. I have found since sept 2008 that these hacks are always due to a virus on the users pc. Resellers are the biggest risk because if they get a virus then any customers passwords they have are all leaked.
     

Share This Page