FTP Compromises

Tuesday, 29 September 2009

These compromises aren’t really “compromises” at all — the attacker already has a user/pass to log into the system. The password is often gained illegitimately through a rootkit on the end-user’s computer, sniffing authentication credentials without the user’s knowledge, or through phishing scams. With such access, it’s simple for the attacker to launch a mass infection by simply logging in via FTP and systematically downloading, modifying, and re-uploading website content pages. The modifications are often hidden iframes (sometimes obfuscated by javascript) that redirect unsuspecting visitors to another site which pushes viruses (such as the same rootkit that originally compromised the account information). Recently attackers have also been inserting code allowing remote code execution by an attacker, allowing them to weaponize the server for use in DoS attacks and spamming.

(Note: these commands contain a Plesk bias, as I see such compromises overwhelmingly on Plesk for some reason…)

Identify the files that have been modified:

mkdir /home/rack/ticketnumber
cd !!$
cp /usr/local/psa/var/log/xferlog.* .
gunzip xferlog*
awk '$12 != prev {print $9; prev=$12}' xferlog* | egrep "\.php|\.htm|\.shtm|\.js" | sort |uniq > ftp_modified.out

Search through the result set for common changes:

cat ftp_modified.out |while read line; do grep -H iframe $line >> iframe.out ; done

Review this output for suspicious iframes. Often they have the visibility:hidden attribute, are Russian or Chinese, listen on odd ports, or point to a CGI script. Once you’ve identified one of these, review the file it was found in for unmatched malicious content, usually in the form of obfuscated JavaScript. Note each of these “signatures”.

Generate a regex tight enough to match only such malicious content, but be aware of random elements put into the signature so as to thwart cleanup attempts.

Run this regex against the modified files:

cat iframe.out | awk -F\: '{print $1}' | while read line ; do sed -i 's/<iframe src=.*\/in\.cgi\?.*<\/iframe>//g' $line ; done

Immediately change the passwords for the affected domains, and be sure to advise the customer that the infection will recur lest they find the breach on their side — the infected desktop — and clean it up. Most antivirus products can catch and clean the common rootkits and trojans, but be aware that each scans differently and will find different things. If one scan comes up clean, scan again with another AV product, and likely triple-check as well.

The entry 'FTP Compromises' was posted on September 29th, 2009 at 5:34 am and last modified on September 29th, 2009 at 5:50 am, and is filed under FTP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

« Identifying the Security Hole
New Acrobat zeroday »