• HOME
• ABOUT US
• OUR SERVICES
• CONTACT US
• CUSTOMER SUPPORT
• BLOG

• Home>
• Blog > Hacked Web sites? Stolen FTP Details? A less on in web security...

Hacked Web site? Stolen FTP? A lesson in Web site Hosting security...

11th June 2013

One of the issues our Support Team come across from time to time are customers struggling to understand why a web site they operate has been compromised, especially how it has happened. Security isn't' that interesting a topic we know, but it is vital so we wanted to share and discuss a common, but not exactly "new" attack type we've recently been seeing much more of. This is an attack where Web Site FTP Details are stolen and then used to compromise a web site. It's arguably one of the easiest attacks because the actual web servers themselves are not directly compromised which is generally not that easy to do on a well maintained web hosting providers systems.

What types of attack are made against a web site?

There are many reasons a web site may be attacked and compromised. We've seen Wordpress attacks (using the wordpress logins and plugin's to compromise a site), attempts to cause "SQL injection" (where you modify a database by exploiting a weakness in setup and code), and all sorts of very clever multi-layered attacks. Fortunately these attacks are also relatively rare as any credible hosting company puts effort into minimising the potential opportunities for attack.

For an attacker, it's far easier if you can just walk in through the front door, which is precisely what we've seen recently with the FTP compromises. The attack is akin to you giving someone else a copy of the set of keys for your house - now they have them, they can walk in whenever they want.

It's for this reason the attack is clever because despite all the effort your host will have gone to, if someone is rocking up with a valid form of ID (in this case a username and password), they'll be granted access as this is the mechanism most commonly used to determine who can, or cannot access a web sites content to upload/download and thus modify it. In fact it is precisely because the server itself isn't compromised that these attacks carry on often unnoticed for some time.

So how does the FTP attack work?

In simple terms, a normal computer system gets infected with some kind of virus or other malware. This malware is designed to seek out FTP software that is installed and extract the username and password information that is held, and then transmits it to a remote (hacker/attacker controlled) system. It takes a few seconds in a typical setup to do this, and after this the attacker has a copy of the keys as it were...

There are lots of FTP products out there, an some are more vulnerable than others, but back in 2009, the unmask parasites blog identified a list of 10:

1. CoffeeCup Direct FTP
2. TranSoft FTP Control 4
3. Core FTP
4. Globalscape Cute FTP
5. Far Manager (with FTP Plugin)
6. FileZilla
7. FlashFXP
8. SmartFTP
9. FTP Navigator
10. Total Commander

...this list is now quite old and we've seen plenty of evidence of other clients getting attacked - in particular too, popularity of FileZilla has grown and we see more and more clients using this client - it's free, open source and therefore an easy pick.

Anti-Virus vendor Kaspersky have a screenshot showing some code from a bit of malware which hints at the products it attacked (click for a large version):

The simple fact is that securing your servers is no good if you give away the keys. You're basically locking the front door and then leaving the key hanging up outside. It's a completely false sense of security and easily exploited.

So what happens once an attacker has the details?

In the recent case we witnessed, we saw a slow rise in attempts to login to a number of web sites. The web sites were spread across a number of different servers, and those servers use different software, operating systems and FTP server products. They're behind various firewalls and security devices.

At first simple logins often happen - logging in, grabbing a file or uploading a test file. This is often a basic routine that appears as far as we can see to allow the attacker to then retrieve the file as a normal web site visitor to check they've got a matching login. It also let's them ditch logins that don't work much faster to save wasting time on an old/invalid login.

At some point there will be a massive change in behaviour, and we've seen 2 real modes:

1. Uploading many PHP files, all of which have compromised code in them. This tends to be useless on a typical Windows Web Hosting Server as normally they don't run PHP, but can be more useful on a Linux Server.

2. Downloading, modifying and uploading existing legitimate pages. This is clearly an automated but highly effective routine. Most of the time too, the additional code is pretty much invisible and a web site appears to load normally, but not always. In the cases we've seen, the site normally has iframe's and other "transparent" windows added which contain requests to go to a different web server. Very often, those then redirect you again to another location where malware is then downloaded to YOUR computer (in various forms) - the systems appear to detect the operating system, browser and other things to determine what malware they can serve you which you're going to be vulnerable to. This process is very much methodical as it just retrieves a list of files on the server and then goes through them one by one.

Things we observed:

• In this case, we identified that the source of the original compromise was a Web Site Development company that happens to look after the web sites for a few clients whom we host sites for. The developer has a number of logins and the majority are explicitly issued to that company.
• The details had clearly been obtained en-mass as it included login information across several different server systems, for different clients.
• No logins other than those issued and used by that end development company were affected. So for example on a server where there were 2 logins to a site, only the login issued to that development company were used.
• In a couple of cases, web site details were attempted for sites that we no longer host - either because they've transferred, the organisation has ceased to exist or in some cases simply because the customer has moved to a different package/service with us and are no longer on the server in question.
• Attempts to login came from various different source IP addresses, and seem to be generally from companies offering cheap Virtual Private Servers (in some cases the companies show this in the IP allocations as being explicitly for issue to VPS systems).

So how can you reduce the risk?

There are a number of things you can do to reduce the chance of attack as well as ensuring you have a better chance of tracking the source so you can fix the ultimate issue:

1. Use Specific, Unique Logins. Always.
Always make sure you issue a login to each individual or company distinctly - whilst good proactive form an auditing perspective (so you know who did what), it's also a very good idea and comes into its own in tracing the source of problems such as this. If you're using our Linux Web Hosting for example, you can create additional FTP Accounts - make sure you do this.

2. Look at using Secure FTP (SSH based for example)
Try and use Secure FTP instead of the older style of FTP where possible - most hosting packages support it and you should ask your hosting company what can be done, or if you don't need FTP, disable it entirely (perhaps just enable it when required which for most sites is pretty rare).

3. Restrict access via FTP by IP Address
Don't allow any connection in the world to be acceptable, even if the username and password are right. Limit it to the specific networks you use to develop a site - and/or your developers. You'll need to have a Static IP for this, but any decent "business grade" service should have this available.

4. Consider regularly changing passwords for FTP
FTP passwords are particularly they're plain text and extra vulnerable. If the attacker only has old passwords, it's of no use and they won't compromise your web sites.

5. Make sure you have Anti-Virus Protection
Always have quality Anti-Virus protection software on your computer to help reduce the chance of a computer getting infected.

6. Have a regular Backup of your Web Site
Make sure you regularly take a backup of your web site content - if you have been compromised being able to restore from a known GOOD copy is essential. Many web hosting packages include a control panel that will let you take backups (for example using cPanel on our Linux Packages). Without a good copy, you'll have a lot of work to do to cleanse the web site.

What did VPW do to help fix this?

Ultimately in many cases, VPW only host a web site or server system on behalf of a customer. They might choose to employ a Web Development company to build a web site or manage servers themselves, so we haven't got direct responsibility for all aspects of the setups our customers use.

However, once we were alerted to a problem, we quickly and proactively work with customers. In this case, we disabled FTP access as it was rapidly made clear to our engineers that this was the attack vector, and performed a deep audit of the customers web site content to see how bad any attack was. When it was determined that there was actual damage, we shut down access to the web sites whilst actions were taken.

A series of recommendations were drawn up to the customers in question to allow them to deal with the issues effectively, This included:

• Comprehensive reset of passwords and logins on servers - especially FTP details
• Review of database security as there was the possibility of database credentials having been obtained
• In one case working with a customer to look at other possible risks and determine the sensible level of proactive action to take to mitigate any further risks vs other potential damage or side effect
• Restoring customer web site content to a point in time BEFORE the first FTP login (fortunately VPW have comprehensive backups as the majority of the customers take a managed backup service from us to protect them)

Worried about your web site security?

Why not speak to our team on 01392 950 950, and consider using our Web Hosting or Security Services to help better protect your IT. Our specialist, trained engineers are here to help your business.

<< Back to the Blog

Follow us on:

© Copyright 1998-2016, VPW Systems (UK) Ltd | All Rights Reserved | Legal Information |
IT Services and Computer Support for Small Business from an Exeter, Devon Based IT Support and Services Company
From IT Support Services to Business Broadband, Server Systems and Cloud Email, Cloud Desktop and Web Hosting Services
Main Offices: 6-7 Southernhay West, Exeter, Devon, EX1 1JG

You're connecting to us as: 3.146.34.191 using IPv4