Botnets spreading their love to webservers, via obtaining FTP Credentials from a malware infected workstation.

A nice little trend has been popping up and is becoming way more than a mere coincidence. Lately, a couple of customers have been calling up stating that their website has been compromised. The trend is usually the same where the good ol' malicious link has been embedded into multiple pages on their website. This trend has been very common with automated SQL injection attacks, but lately SQL injection has not been the culprit. After conducing an investigation, I have been identifying that the issue has been the result of an FTP breach. Now I have seen this method of breach occur in the past with the .htaccess file being modified (see previous post)

When an FTP breach usually occurs, you start running the customer through the traditional. Do you use strong passwords, do you change your password regularly, how many users share the login/pass in question, is your FTP application up to date with the latest security related patches? All of these have been coming back with an answer supplied that tend to rule out a possible exploit.

Now, I find that there are a lot of interesting things here, so I will try to remember all of the ones of the top of my head.

So far, I have seen 3 possible methods of exploitation.
1. The users FTP credentials are being compromised through malware installed on the clients workstation.
2. The FTP user credentials can be sniffed via plain text authentication.
3. The user is using weak FTP passwords, and can be brute forced (although I do not see any brute forcing in the FTP log files, I will still leave it open as a possibility)

While all of the instances that I have seen, look like they have been coming from malware installed on the clients workstation, I am a security analyst and always recommend solutions to cover all bases of possible methods of exploitation.

So what I find really interesting, is that an attacker/hacker has your FTP credentials, and all that they are doing, is embedding a link onto your website. I do not see any actions of defacement, installing backdoors, or attempting to obtain sensitive information. To me, this is quite odd. These are not hackers who are looking to create a name for themselves or trying to steal CC info out of your database. These are hackers, who are trying to spread their infection by crawling over the top of the single user, and passing their tactics onto your webserver to assist with growth.

I feel that this trend is very interesting because it further backs up the Security Professionals opinion that Botnets are evolving and becoming very specific on their objective and method of exploitation.

I will close out this post with recommendations to the client on what they can do to help secure the issue and assist with identifying the method of exploitation.

1. Change FTP user credentials often using strong passwords.
2. Hand out individual FTP credentials to anyone accessing the FTP server. This will assist with identifying where the FTP credentials are being leaked and is just good security practices. You will also want to remove all users who do not need access to the webserver.
3. Use a secure FTP server and client application. This will prevent the FTP authentication from being passed in plain text. Make sure you update your FTP server/client application to the most recent version or patch with all recent security related patches.
4. Run an anti-virus and malware detection tool on all workstations regularly.
5. Review FTP log files regularly looking for unauthorized authentication.


and the bonus question
.
Why is there not a popular application that exists or addon built into an ftp server, cpanel or plesk that notifies the client if a file has been added or modified within their account. This would prevent out of the ordinary modifications or new files from going unnoticed? And if there is one, why is it not in widespread use?