the_title();

FTP Exploits and Account Hacks

Over the last 48 hours we have noticed an increased number of attacks against hosting accounts. The attacks take the form of exploiting the FTP server to upload malicious content to accounts. The present attack we are seeing uploads files (htaccess) used to redirect incoming search engine visitors to spam sites.

In light of this current uptick we have updated our FTP scanning system to detect and block these uploads before they can prevent damage to accounts. If an account is deemed to have been exploited we take three steps to protect you. The files are removed, your FTP password is randomised and an FTP lock is enabled on your account. You will also be emailed about these changes at your registered email address.We recommend then updating your account passwords to non dictionary words and using SCP over standard insecure FTP. You should also check your account to verify no other malicious changes have been made.

Furthermore it would be wise to run a full virus scan of your own machine, using upto date virus scanning software. We believe that the attacks may have originated from users own machines, exploited with a trojan.

To update your siteadmin password:

Log into /siteadmin

Click Edit

You can update your siteadmin password here.

To update your FTP password:

Login to /siteadmin

Select your domain

Select ‘Hosting Setup’

You can update your FTP password in the section.

15 Comments

  1. I was one of the domains hacked into. I am having trouble updating my password. I use Ipswitch WS_FTP LE to upload my files and now I am unable to logon as I need to update my password. I need help with this cause I can’t find “edit” as mentioned in the email. Please see C10198

  2. does the email recieved correspond to the time of the attack? found nothing on full system scan and rec. email 8 hrs since pc was last on.

    also are you reporting whatever the domain was forwarding to correct authorities/hosting companies?

    chris

  3. Cindy: reply to the email you received from us, we will be happy to help you update your passwords,.

    Chris: There really isn’t anyone to report the matter to I am afraid.

  4. I’m concerned about your assertion that “attacks may have originated from users own machines” when all of the changes to my accounts came from machines in US, Germany and India.
    I ftp into my accounts using a Mac which was switched off at the time of the attacks.

  5. Gordon S Valentine
    Friday April 24th, 2009

    I think the FTP lock is a good idea. Would be also good, if they could add a IP address lock. So we can only access the FTP servers, via list of IP address they we have setup. So that way, it wold stop machines in US, Germany and India and so getting access to the FTP servers.

  6. When these attacks occurred, I had envisaged spending days looking for damaged files (which I have had to do with other server companies). However, it quickly became clear that 34SP were responding to the attacks very promptly and in the case of my sites, had locked the sites down and then restored them from backups within one hour of the attacks. Thank you to the 34SP team for the smooth and efficient way in which you dealt with this. No matter where you have your website hosted, it will be vulnerable to such attacks. The thing that varies from one hosting company to another is the speed and efficiency of the response.

  7. I too commend the 34sp team regardless of where the vulnerability turns out to be. I have run virus checks on the PC’s i use to FTP and have found no viruses. My website runs joomla, i have posted on the Joomla forums to see if it was a Joomla velnerability but this is inconclusive so far. Was anyone else that was compromised using Joomla was anyone else cmpromised not using Joomla?

  8. Michael you must of been lucky (or on a higher hosting account), my index file was replaced with a blank one and 2 hacked files remained with dodgy links in them (hidden so just for search spidering). luckily i had backups at home. But this isnt really a complaint as im glad it was noticed and locked down so promptly.

    IP for mine was Russia apparently.

  9. I too was hacked, i run Joomla, i’m interested to know if the other users hacked run Joomla or not?

  10. 34sp were indeed very quick to act.

    What is odd is that the domains of mine that were altered had either never been logged into or if they were it was a very very long time ago. Those that are regularly accessed (and whose details a keylogger would have picked up) were not touched.

    I am still at a loss as to how a hacker can obtain a username/password combination that has never been used.

  11. Thank you for fixing one of our sites which was affected – appreciate your quick response.

    You mention using SCP over insecure FTP – can you recommend a program? I used FileZilla 2.

  12. Gordon S Valentine
    Monday April 27th, 2009

    I would check all your websites if I was you. I keep finding the following code on my website.

    <a href=

    Which I know for sure, I did not add!

  13. Well, I have around 10 domains hosted @ 34sp.com, which I did not touch for over 1 year.
    All have a forwarding HREF link to other web sites… Most of them have ftp passwords set like ‘*^38d8**^8ahsA’.
    I can NOT imaging brute force attack is capable to hack such passwords quickly, therefore, I suggest, FreeBSD or one of 34SP authentication daemons had a leak!
    Anyhow, 2nd time this happens and 34SP was very quick again in locating and part solving the issue.

    Thanks for your support TEAM!

  14. Just a follow up to anyone still having access problems. Check out http://www.34sp.com/ftp-security-measures

    If you need help give us a call or drop an email to help@34sp.com – we can’t offer support directly over this blog.

  15. I have had changes made to 7 websites. Some Joomla sites, some bog standard html. All using differentftp logins and passwords. Sometimes it changes files in the http area sometimes in the https, but not always in both.

    I for one will be investigating the security measures suggested by 34sp.