Ftp Hack

how can someone hack a site using ftp ?

i got hacked today on several of my sites


Apr 26 02:34:15 server pure-ftpd: ([.]75[.]49[.]185) [NOTICE] /home/xxxxx//public_html/index.php downloaded (22585 bytes, 77941.60KB/sec)

Apr 26 02:34:20 server pure-ftpd: ([.]75[.]49[.]185) [NOTICE] /home/xxxxx//public_html/xxxxx/index.php uploaded (32768 bytes, 11.83KB/sec)

they changed all index files , added a redirection , sometime just deleted it and sometime an iframe .

my pass is not easy (25+ chars , specials chars , letter , number , capital , etc ..)

so no way he guessed it , how such thing is made ?

He's from malaysia

 

Most obvious way? You got a keylogging trojan.

There are about 10 more ways, from insecure hosting server OS to buffer overflow in ftpd. You can find them all in google rather quickly.

Check all the software and scripts you run, make sure they are updated and got no public vulnerabilities. Then change all the passwords, virus-scan your system and hope it wont happen again.

 

I use Bulletproof FTP Server. Costs $35. I have a huge list of auto-banned IPs of people that tried to hack in. Seeing as PureFTP-D is open source chances are you just had your password swiped some how.

Don't you log access to the FTP server? I can see what IPs are connecting and what username they're trying to use to log in. You should be able to figure out what username the hacker used to gain access.

 

LOL a stupid dp guy gave me this red rep :

KalvinB : Yes i saw the logs , he got access by the main user account .

As a resolution : APF was installed and BFD configured to block those IPs from which more than 3 ftp failure occurs .

Apr 26 08:11:17 server pure-ftpd: (?@202-75-49-185) [INFO] xxxx is now logged in
Apr 26 08:11:22 server pure-ftpd: (xxxxx@202_75_49_185) [NOTICE] /home/xxxxx////index.php downloaded (94 bytes, 716.92KB/sec)

 

That's generally the best way to prevent such problems. "Hackers" will sit there all day long trying passwords if you let them.

 

there is a program that can be used to brute force or dictionary attack ftp logins, telnet servers, internet port 80 (websites) so they can be modified.

all you do is put in the user name root, admin administrator or whatever and select brute force all chars and characters including non displayable. although a 25 character mix would take a few days.

 

I would look into your hosting security policies too. I encountered a couple of completely lame (very big) hosting providers for what concerns security.
If you use different passwords for each site on that server it is mor likely that they got in using some OS-related bug/vulneraility. I would patch the OS and the ftp. If you had both patched start thinking of another ftp service.

 

On my FTP server I also changed the name of the root account.

"root" and "admin" don't exist as user accounts.

By getting rid of the default account names you've just made the process of getting in infinitly harder since now they have to make NxN attempts instead of N attempts.