11th June 2013
One of the issues our Support Team come across from time to time are customers struggling to understand why a web site they operate has been compromised, especially how it has happened. Security isn't' that interesting a topic we know, but it is vital so we wanted to share and discuss a common, but not exactly "new" attack type we've recently been seeing much more of. This is an attack where Web Site FTP Details are stolen and then used to compromise a web site. It's arguably one of the easiest attacks because the actual web servers themselves are not directly compromised which is generally not that easy to do on a well maintained web hosting providers systems.
There are many reasons a web site may be attacked and compromised. We've seen Wordpress attacks (using the wordpress logins and plugin's to compromise a site), attempts to cause "SQL injection" (where you modify a database by exploiting a weakness in setup and code), and all sorts of very clever multi-layered attacks. Fortunately these attacks are also relatively rare as any credible hosting company puts effort into minimising the potential opportunities for attack.
For an attacker, it's far easier if you can just walk in through the front door, which is precisely what we've seen recently with the FTP compromises. The attack is akin to you giving someone else a copy of the set of keys for your house - now they have them, they can walk in whenever they want.
It's for this reason the attack is clever because despite all the effort your host will have gone to, if someone is rocking up with a valid form of ID (in this case a username and password), they'll be granted access as this is the mechanism most commonly used to determine who can, or cannot access a web sites content to upload/download and thus modify it. In fact it is precisely because the server itself isn't compromised that these attacks carry on often unnoticed for some time.
In simple terms, a normal computer system gets infected with some kind of virus or other malware. This malware is designed to seek out FTP software that is installed and extract the username and password information that is held, and then transmits it to a remote (hacker/attacker controlled) system. It takes a few seconds in a typical setup to do this, and after this the attacker has a copy of the keys as it were...
There are lots of FTP products out there, an some are more vulnerable than others, but back in 2009, the unmask parasites blog identified a list of 10:
1. CoffeeCup Direct FTP
2. TranSoft FTP Control 4
3. Core FTP
4. Globalscape Cute FTP
5. Far Manager (with FTP Plugin)
9. FTP Navigator
10. Total Commander
...this list is now quite old and we've seen plenty of evidence of other clients getting attacked - in particular too, popularity of FileZilla has grown and we see more and more clients using this client - it's free, open source and therefore an easy pick.
Anti-Virus vendor Kaspersky have a screenshot showing some code from a bit of malware which hints at the products it attacked (click for a large version):
The simple fact is that securing your servers is no good if you give away the keys. You're basically locking the front door and then leaving the key hanging up outside. It's a completely false sense of security and easily exploited.
In the recent case we witnessed, we saw a slow rise in attempts to login to a number of web sites. The web sites were spread across a number of different servers, and those servers use different software, operating systems and FTP server products. They're behind various firewalls and security devices.
At first simple logins often happen - logging in, grabbing a file or uploading a test file. This is often a basic routine that appears as far as we can see to allow the attacker to then retrieve the file as a normal web site visitor to check they've got a matching login. It also let's them ditch logins that don't work much faster to save wasting time on an old/invalid login.
At some point there will be a massive change in behaviour, and we've seen 2 real modes:
1. Uploading many PHP files, all of which have compromised code in them. This tends to be useless on a typical Windows Web Hosting Server as normally they don't run PHP, but can be more useful on a Linux Server.
2. Downloading, modifying and uploading existing legitimate pages. This is clearly an automated but highly effective routine. Most of the time too, the additional code is pretty much invisible and a web site appears to load normally, but not always. In the cases we've seen, the site normally has iframe's and other "transparent" windows added which contain requests to go to a different web server. Very often, those then redirect you again to another location where malware is then downloaded to YOUR computer (in various forms) - the systems appear to detect the operating system, browser and other things to determine what malware they can serve you which you're going to be vulnerable to. This process is very much methodical as it just retrieves a list of files on the server and then goes through them one by one.
There are a number of things you can do to reduce the chance of attack as well as ensuring you have a better chance of tracking the source so you can fix the ultimate issue:
1. Use Specific, Unique Logins. Always.
Always make sure you issue a login to each individual or company distinctly - whilst good proactive form an auditing perspective (so you know who did what), it's also a very good idea and comes into its own in tracing the source of problems such as this. If you're using our Linux Web Hosting for example, you can create additional FTP Accounts - make sure you do this.
2. Look at using Secure FTP (SSH based for example)
Try and use Secure FTP instead of the older style of FTP where possible - most hosting packages support it and you should ask your hosting company what can be done, or if you don't need FTP, disable it entirely (perhaps just enable it when required which for most sites is pretty rare).
3. Restrict access via FTP by IP Address
Don't allow any connection in the world to be acceptable, even if the username and password are right. Limit it to the specific networks you use to develop a site - and/or your developers. You'll need to have a Static IP for this, but any decent "business grade" service should have this available.
4. Consider regularly changing passwords for FTP
FTP passwords are particularly they're plain text and extra vulnerable. If the attacker only has old passwords, it's of no use and they won't compromise your web sites.
5. Make sure you have Anti-Virus Protection
Always have quality Anti-Virus protection software on your computer to help reduce the chance of a computer getting infected.
6. Have a regular Backup of your Web Site
Make sure you regularly take a backup of your web site content - if you have been compromised being able to restore from a known GOOD copy is essential. Many web hosting packages include a control panel that will let you take backups (for example using cPanel on our Linux Packages). Without a good copy, you'll have a lot of work to do to cleanse the web site.
Ultimately in many cases, VPW only host a web site or server system on behalf of a customer. They might choose to employ a Web Development company to build a web site or manage servers themselves, so we haven't got direct responsibility for all aspects of the setups our customers use.
However, once we were alerted to a problem, we quickly and proactively work with customers. In this case, we disabled FTP access as it was rapidly made clear to our engineers that this was the attack vector, and performed a deep audit of the customers web site content to see how bad any attack was. When it was determined that there was actual damage, we shut down access to the web sites whilst actions were taken.
A series of recommendations were drawn up to the customers in question to allow them to deal with the issues effectively, This included:
Why not speak to our team on 01392 950 950, and consider using our Web Hosting or Security Services to help better protect your IT. Our specialist, trained engineers are here to help your business.
Are you getting the best out of your IT?Take the Quiz