FTP Exploits and Account Hacks

Over the last 48 hours we have noticed an increased number of attacks against hosting accounts. The attacks take the form of exploiting the FTP server to upload malicious content to accounts. The present attack we are seeing uploads files (htaccess) used to redirect incoming search engine visitors to spam sites.

In light of this current uptick we have updated our FTP scanning system to detect and block these uploads before they can prevent damage to accounts. If an account is deemed to have been exploited we take three steps to protect you. The files are removed, your FTP password is randomised and an FTP lock is enabled on your account. You will also be emailed about these changes at your registered email address.We recommend then updating your account passwords to non dictionary words and using SCP over standard insecure FTP. You should also check your account to verify no other malicious changes have been made.

Furthermore it would be wise to run a full virus scan of your own machine, using upto date virus scanning software. We believe that the attacks may have originated from users own machines, exploited with a trojan.

To update your siteadmin password:

Log into /siteadmin

Click Edit

You can update your siteadmin password here.

To update your FTP password:

Login to /siteadmin

Select your domain

Select ‘Hosting Setup’

You can update your FTP password in the section.

Comments

There are 15 comments on “FTP Exploits and Account Hacks

  1. Avatar
    CIndy Thomas April 23, 2009

    I was one of the domains hacked into. I am having trouble updating my password. I use Ipswitch WS_FTP LE to upload my files and now I am unable to logon as I need to update my password. I need help with this cause I can’t find “edit” as mentioned in the email. Please see C10198

    Reply
  2. Avatar
    chris April 23, 2009

    does the email recieved correspond to the time of the attack? found nothing on full system scan and rec. email 8 hrs since pc was last on.

    also are you reporting whatever the domain was forwarding to correct authorities/hosting companies?

    chris

    Reply
  3. Avatar
    Stuart April 23, 2009

    Cindy: reply to the email you received from us, we will be happy to help you update your passwords,.

    Chris: There really isn’t anyone to report the matter to I am afraid.

    Reply
  4. Avatar
    Ian April 24, 2009

    I’m concerned about your assertion that “attacks may have originated from users own machines” when all of the changes to my accounts came from machines in US, Germany and India.
    I ftp into my accounts using a Mac which was switched off at the time of the attacks.

    Reply
  5. Avatar
    Gordon S Valentine April 24, 2009

    I think the FTP lock is a good idea. Would be also good, if they could add a IP address lock. So we can only access the FTP servers, via list of IP address they we have setup. So that way, it wold stop machines in US, Germany and India and so getting access to the FTP servers.

    Reply
  6. Avatar
    Michael Ball April 24, 2009

    When these attacks occurred, I had envisaged spending days looking for damaged files (which I have had to do with other server companies). However, it quickly became clear that 34SP were responding to the attacks very promptly and in the case of my sites, had locked the sites down and then restored them from backups within one hour of the attacks. Thank you to the 34SP team for the smooth and efficient way in which you dealt with this. No matter where you have your website hosted, it will be vulnerable to such attacks. The thing that varies from one hosting company to another is the speed and efficiency of the response.

    Reply
  7. Avatar
    Chris April 25, 2009

    I too commend the 34sp team regardless of where the vulnerability turns out to be. I have run virus checks on the PC’s i use to FTP and have found no viruses. My website runs joomla, i have posted on the Joomla forums to see if it was a Joomla velnerability but this is inconclusive so far. Was anyone else that was compromised using Joomla was anyone else cmpromised not using Joomla?

    Reply
  8. Avatar
    Chris April 26, 2009

    Michael you must of been lucky (or on a higher hosting account), my index file was replaced with a blank one and 2 hacked files remained with dodgy links in them (hidden so just for search spidering). luckily i had backups at home. But this isnt really a complaint as im glad it was noticed and locked down so promptly.

    IP for mine was Russia apparently.

    Reply
  9. Avatar
    Chris April 26, 2009

    I too was hacked, i run Joomla, i’m interested to know if the other users hacked run Joomla or not?

    Reply
  10. Avatar
    Ian April 27, 2009

    34sp were indeed very quick to act.

    What is odd is that the domains of mine that were altered had either never been logged into or if they were it was a very very long time ago. Those that are regularly accessed (and whose details a keylogger would have picked up) were not touched.

    I am still at a loss as to how a hacker can obtain a username/password combination that has never been used.

    Reply
  11. Avatar
    John Crumpton April 27, 2009

    Thank you for fixing one of our sites which was affected – appreciate your quick response.

    You mention using SCP over insecure FTP – can you recommend a program? I used FileZilla 2.

    Reply
  12. Avatar
    Gordon S Valentine April 27, 2009

    I would check all your websites if I was you. I keep finding the following code on my website.

    <a href=

    Which I know for sure, I did not add!

    Reply
  13. Avatar
    Matt April 28, 2009

    Well, I have around 10 domains hosted @ 34sp.com, which I did not touch for over 1 year.
    All have a forwarding HREF link to other web sites… Most of them have ftp passwords set like ‘*^38d8**^8ahsA’.
    I can NOT imaging brute force attack is capable to hack such passwords quickly, therefore, I suggest, FreeBSD or one of 34SP authentication daemons had a leak!
    Anyhow, 2nd time this happens and 34SP was very quick again in locating and part solving the issue.

    Thanks for your support TEAM!

    Reply
  14. Avatar
    Stuart May 7, 2009

    Just a follow up to anyone still having access problems. Check out http://www.34sp.com/ftp-security-measures

    If you need help give us a call or drop an email to help@34sp.com – we can’t offer support directly over this blog.

    Reply
  15. Avatar
    Richard May 9, 2009

    I have had changes made to 7 websites. Some Joomla sites, some bog standard html. All using differentftp logins and passwords. Sometimes it changes files in the http area sometimes in the https, but not always in both.

    I for one will be investigating the security measures suggested by 34sp.

    Reply

Sign up to our newsletter

Get the latest tutorials, videos and special offers from 34SP.com.

Thanks for signing up!