The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FTP Hacker

Discussion in 'Security' started by sallen812, Jun 24, 2009.

  1. sallen812

    sallen812 Member

    Joined:
    Oct 20, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    It looks like I have a hacker getting into my C-panel server.

    Here is the Var/log/messages section that logs the Pure ftp session. Is there a way to stop this?

    Jun 24 04:01:37 server pure-ftpd: (?@59.93.71.35) [INFO] New connection from 59.93.71.35
    Jun 24 04:01:38 server pure-ftpd: (?@59.93.71.35) [INFO] sallenus is now logged in
    Jun 24 04:01:41 server pure-ftpd: (sallenus@59.93.71.35) [INFO] Logout.
    Jun 24 04:01:44 server pure-ftpd: (?@89.36.138.87) [INFO] New connection from 89.36.138.87
    Jun 24 04:01:44 server pure-ftpd: (?@89.36.138.87) [INFO] sallenus is now logged in
    Jun 24 04:01:46 server pure-ftpd: (sallenus@89.36.138.87) [NOTICE] /home/sallenus//public_html/index.php downloaded (872 bytes, 50.85KB/sec)
    Jun 24 04:01:46 server pure-ftpd: (sallenus@89.36.138.87) [INFO] Logout.
    Jun 24 04:01:54 server pure-ftpd: (?@202.150.113.249) [INFO] New connection from 202.150.113.249
    Jun 24 04:01:56 server pure-ftpd: (?@202.150.113.249) [INFO] sallenus is now logged in
    Jun 24 04:02:04 server named[12119]: lame server resolving '21.229.108.59.in-addr.arpa' (in '229.108.59.in-addr.arpa'?): 219.232.48.62#53
    Jun 24 04:02:05 server pure-ftpd: (sallenus@202.150.113.249) [NOTICE] /home/sallenus//public_html/index.php uploaded (950 bytes, 0.28KB/sec)
    Jun 24 04:02:06 server pure-ftpd: (sallenus@202.150.113.249) [INFO] Logout.
    Jun 24 04:02:09 server pure-ftpd: (?@75.187.192.237) [INFO] New connection from 75.187.192.237
    Jun 24 04:02:10 server pure-ftpd: (?@75.187.192.237) [INFO] sallenus is now logged in
    Jun 24 04:02:12 server pure-ftpd: (sallenus@75.187.192.237) [NOTICE] /home/sallenus//public_html/html/index.html downloaded (1370 bytes, 30.04KB/sec)
    Jun 24 04:02:12 server pure-ftpd: (sallenus@75.187.192.237) [INFO] Logout.
    Jun 24 04:02:15 server pure-ftpd: (?@88.109.5.212) [INFO] New connection from 88.109.5.212
    Jun 24 04:02:16 server pure-ftpd: (?@88.109.5.212) [INFO] sallenus is now logged in
    Jun 24 04:02:18 server pure-ftpd: (sallenus@88.109.5.212) [NOTICE] /home/sallenus//public_html/html/index.html uploaded (1449 bytes, 4.79KB/sec)
    Jun 24 04:02:18 server pure-ftpd: (sallenus@88.109.5.212) [INFO] Logout.
    Jun 24 04:02:21 server pure-ftpd: (?@75.187.192.237) [INFO] New connection from 75.187.192.237
    Jun 24 04:02:21 server pure-ftpd: (?@75.187.192.237) [INFO] sallenus is now logged in
    Jun 24 04:02:23 server pure-ftpd: (sallenus@75.187.192.237) [NOTICE] /home/sallenus//public_html/suspended.page/index.html downloaded (3494 bytes, 69.96KB/sec)
    Jun 24 04:02:24 server pure-ftpd: (sallenus@75.187.192.237) [INFO] Logout.
    Jun 24 04:02:26 server pure-ftpd: (?@91.64.208.10) [INFO] New connection from 91.64.208.10
    Jun 24 04:02:27 server pure-ftpd: (?@91.64.208.10) [INFO] sallenus is now logged in
    Jun 24 04:02:29 server pure-ftpd: (sallenus@91.64.208.10) [NOTICE] /home/sallenus//public_html/suspended.page/index.html uploaded (3561 bytes, 7.29KB/sec)
    Jun 24 04:02:30 server pure-ftpd: (sallenus@91.64.208.10) [INFO] Logout.
    Jun 24 04:02:32 server pure-ftpd: (?@86.20.64.110) [INFO] New connection from 86.20.64.110
    Jun 24 04:02:33 server pure-ftpd: (?@86.20.64.110) [INFO] sallenus is now logged in
    Jun 24 04:02:35 server pure-ftpd: (sallenus@86.20.64.110) [NOTICE] /home/sallenus//public_html/themes/engines/phptemplate/default.tpl.php downloaded (128 bytes, 5.42KB/sec)
    Jun 24 04:02:35 server pure-ftpd: (sallenus@86.20.64.110) [INFO] Logout.
    Jun 24 04:02:38 server pure-ftpd: (?@92.84.250.31) [INFO] New connection from 92.84.250.31
    Jun 24 04:02:38 server pure-ftpd: (?@92.84.250.31) [INFO] sallenus is now logged in
    Jun 24 04:02:41 server pure-ftpd: (sallenus@92.84.250.31) [NOTICE] /home/sallenus//public_html/themes/engines/phptemplate/default.tpl.php uploaded (238 bytes, 0.83KB/sec)
    Jun 24 04:02:41 server pure-ftpd: (sallenus@92.84.250.31) [INFO] Logout.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Have you changed your passwords to something much stronger and scanned your PC?
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,280
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Pretty interesting how that is done. Multiple different IP addresses accessing the same account within seconds, each accessing/modifying a different page.

    I hesitate to say that's from a full fledged botnet, but it's likely from multiple compromised machines being controlled from an IRC channel or some other distributed remote means.

    Somebody issues a command to log in and change files, and all applicable participants act immediately.

    It is likely that this isn't actually the first time that account has been breached. It probably was breached initially - and during that time no directory listing or other activity was likely done. Just a quick login/logout to verify that it can be accessed. Then they sit on it for a while (perhaps weeks or more) without making use of it (so you have no reference left on your server in the logfiles from the previous access). Then they pounce and have it do a quickchange of your various html/php pages.

    They probably added additional malicious javascript code to each of those pages, or an iframe or something.

    Like Infopro said - change your password for that account immediately - to something that is very strong. Set up your Cpanel to require strong passwords across the board.

    Go through all of your FTP logs for the past month (or as long as you have them) and look around for strangeness. If you see a group of accounts being accessed in quick succession by the same IP, then you can assume that somebody got a hold of your passwd/shadow files and brute force broke the weak passwords. IF this were the case, you'd want to implement that secure password policy within Cpanel and then change every current account's password as quick as possible to something that is secure.

    It may be isolated [it most often is], but I have seen it where obviously somebody got a hold of the passwd/shadow files on the server, spent a long time cracking as many easy passwords as they could, then many months later pounced on multiple accounts at once.

    Mike
     
  4. bjdea1

    bjdea1 Well-Known Member

    Joined:
    Mar 6, 2003
    Messages:
    83
    Likes Received:
    1
    Trophy Points:
    8
    There are a lot of hackers sniffing FTP network traffic lately.

    Since FTP transmits usernames and passwords in plain text over the network, hackers are able to sniff (discover/steal) your clients usernames and password and store them in databases. They can then simply FTP into your users accounts, using mass FTP bots to modify thousands of webpages worldwide.

    The best and only solution we found was to force SECURE FTP, in our case we chose FTPES (emplicit secure FTP). This then makes all FTP data transmitted over networks in encrypted format. That way hackers can't sniff your clients usernames and passwords.

    PureFTP can be setup in WHM to ONLY ALLOW secure FTP connections. This is what we have done, now our users can only connect via FTPES (secure FTP).

    Filezilla and FireFTP are both FREE FTP Clients and both support FTPES (FTP TLS), many more free FTP clients will include support for secure FTPES soon too.

    I want to get this message out because this is one of the biggest security threats on the internet atm. Everyone should make their FTP server accept secure FTP connections only. As soon as we switched all our servers over to ONLY FTPES, all hacking activity completely stopped.
     
    #4 bjdea1, Jun 25, 2009
    Last edited: Jun 25, 2009
  5. sallen812

    sallen812 Member

    Joined:
    Oct 20, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Looks like one of my PC with FileZIlla got hacked. All passwords have been changed and the problem has stopped.

    Thanks for the replies

    Steven
     
  6. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    This sounds exactly like the IFRAME hacks that have been discussed on this forum. Your computer gets infected with a trojan when viewing a hacked page (and you download something?). The trojan transmits your FTP passwords back to the hacker whenever you use FileZilla or other FTP client. The hacker then uses a network of infected computers to modify the web pages to plant more IFRAME hacks...

    Sallen812, changing your FTP passwords will solve the problem, but only if you are 100% sure that your computer is virus free.
     
  7. whplus

    whplus Well-Known Member

    Joined:
    Dec 8, 2007
    Messages:
    66
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Behind your business
    ‘force’ all users to connect via FTP over TLS.
     
  8. bjdea1

    bjdea1 Well-Known Member

    Joined:
    Mar 6, 2003
    Messages:
    83
    Likes Received:
    1
    Trophy Points:
    8
    yes exactly this is the best solution. We have implemented it and our clients have accepted it. Now all the past security problems have completely stopped. I want others to do this also so the old FTP protocol can be dumped, its very insecure.
     
  9. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Thank you, Stefaans!

    I'm getting tired of the "oh my $@$@ server hacked" posts everywhere!

    Yes, as Stefaans summarized, there is a group of hackers operating out of China
    right now who is getting their password via the use of trojans on the user's
    own computers at home and NOT the servers or data centers where
    their web hosting accounts are located.

    It is important to note a few things:

    1. Unless you totally clean your home computer of these trojan viruses,
    any password changes you do at your hosting company will not work
    because the hackers will be updated to your new password.

    2. The hacking group is not only collecting web hosting information from
    your computer at home but also banking login information as well and
    if you logged into your bank from an infected home computer, they
    likely have your bank login as well and there have been reports of
    unauthorized bank transfers being made in various places already.

    If you suspect your computer is infected, get the latest updates to one
    of the top 5 antivirus programs and run full scans on your computer along
    with the latest updates from a good trojan detection tool such as Spy Doctor
    or if that is out of reach, at least SpyBot:Search and Destroy and try to
    confirm your computer is completely clean and if it were me, I would go
    ahead and change all my web hosting and bank passwords yet again after
    doing all the local computer scans just to be sure.
     
  10. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    Assuming I understand this correctly

    That only secures the password in transit - if the users PC is compromised and the passwords are saved then TLS in this case doesnt help
     
  11. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Correct! The current exploit attack heavily in the wild right now involves
    keylogging, packet capturing, and file analysis from the victim's own
    home computer.

    Doesn't really matter what you do aside from implementing a one time
    keypad on the server side because as long as the user is infected, the
    hacking group behind this will know how to login and it does not matter
    if you force secure FTP, using only certificates, or anything else.

    A lot of people erroneously believe right now that FTP is being hacked
    because they don't know what is really going on and making bad assumptions
    and then through those same bad assumptions recommending you switch
    your FTP software or disable FTP and go to secure FTP or implement some
    encryption method which is already by definition compromised already as
    long as the end user is still able to login from their home computer.

    Best action at the moment for anyone found infected is to suspend their
    accounts or change their passwords to prevent the home user from being
    able to login themselves until they can disinfect their home computers!
     
  12. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    One step that might help is if your server can support it - a little help will come from banning IPs from the affected countries

    I know that it isnt a perfect solution since the abusers can spoof ips and use proxies - but my server ONLY serves US Canada and northern Europe Ive blocked many of the suspect countries by IP at the firewall.

    A number of years back ( 5 ) the server that I shared at that time was compromised with Iframe injection attacks. That server was behind on kernel updates and had a number of other weaknesses.
    Do everything and anything you can to protect yourself from these problems. Firewall, ip blocks, port scanning detection, LFD detection etc

    One final note - if you are on shared hosting, meaning you are on a VPS or one of thousands of accounts on a server that advertises as "unlimited everything" for $3 a month. You are then subject to the weaknesses that such a monster server has to be configured for. You are getting what you pay for. If anyone of your "roommates" on that server gets exploited then your site is more likely to be effected by that exploited neighbor.
     
  13. otho232

    otho232 Registered

    Joined:
    Jul 4, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    i too had a smiliar sometime back and i have consulted a specialist
     
  14. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
  15. ramzex

    ramzex Member

    Joined:
    May 10, 2006
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Crap!

    This is not the iframe method!
    We had exact same issues our our customers webservers.
    We have investigated this issue and found the following:

    1. A php shell script (which contain numerous php/apache/zend vulnerabilities) has been uploaded trough a XSS attack.

    2. Script has been used to gather usernames from the servers.

    3. Script has modified the passwords of the accounts located in /etc/passwd

    4. Hackers connected from different IPs to the FTP accounts and uploaded/deleted files.

    Solution:
    1. Upgrade to Apache 2.2 with latest PHP versions! (a must)! and compile with suhosin, suphp, suexec!

    2. Install mod_Security from cpanel addons!

    3. Install mod_security rules from gotroot.com (they have a free rules download also).

    4. Install clamv addon from cpanel.

    5. Forbid the following functions in php:

    Please note that some functions like realpath or chdir may be used by some websites.

    5. Enable FTP TLS Encryption Support as Required!

    6. Change your SSH port to something else.

    7. Enable Brute-Force protection.

    8. Install firewall.

    We found that the shell scripts uploaded were base64 encoded.

    Use this search command in ssh to find files that are base64 encoded and take a look at them as they may be backdoors:

    Replace "/home" with your path.

    Also find files that are using php command: "posix_getpwuid" as this is how they list the server's usernames!

    There are other vulnerabilities with zend also!
    Even if you enable Safe Mode in PHP they can still list /etc/passwd or any other system file even though Open_basedir restriction is enabled.
    We are still investigating this and I will update you as soo as we have a solution.

    Also we found another Perl script that came with the shell code above.
    It uses the symlink() function to create symlink into vulnerable account to any other account or directory in server. this way they have access to everything.

    If someone has more ideas how to secure the server againts these vulnerabilities please let us know.

    I will also keep you updated.

    Thanks.
     
    #15 ramzex, Jul 11, 2009
    Last edited: Jul 11, 2009
  16. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    ramzex:

    I saw your original post a couple days ago and briefly contacted you
    but I have also been very busy this week helping a lot of users deal with
    the current hacking attacks going around, helping people secure their
    servers, and have not had much free time available. I would very much
    like to take a look at your server and sit down and go over with you all
    that you have done to try to clean it out and update the security as
    there is likely a great many areas you missed (based on your comments
    in each of your posts) that I may be able to help you address.

    You are already off to a good start in the things you list in your post
    above but I also see a great number of critical areas to address where
    you did not mention doing anything to secure your server in those areas.
    When you are available, try to contact me and if I have a few free moments,
    I'll try to make room to talk to you and help you with your server.

    -Spiral
     
  17. Arcano

    Arcano Registered

    Joined:
    Jul 13, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi Everybody.

    This is my first post.
    First of all please be careful everyone who uses FILEZILLA.

    The reason? Very Simple
    Look in your machine for a file called "sitemanager.xml".
    You can open it with a notepad.
    It holds all the information of your accounts.
    In plain text.
    User.
    Password (not encrypted!!).

    Once you have a trojan/virus (like Malicious.PDF.Gen, etc), is a piece of cake to it to get that information. It only have to read the xml and send that information to the attacker.


    Now i am using another free ftp client. EFTP.
    It encrypts everything. I will try it now.

    Good Luck (and sorry for my odd english)
     
  18. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
     
    #18 konrath, Jul 13, 2009
    Last edited: Jul 13, 2009
Loading...

Share This Page