Now that people are starting to finally notice the huge success of the recent trends of malware that attempt to obtain your FTP credentials, I thought I would try to compile together steps to prevent this type of attack. Now there has always been the battle of security and convenience and I truly believe that until this trend dies down, it is crucial for all companies to lean a little more towards the security side of things and to just deal with the lack of convenience.
No one is safe from this type of attack, including Bank of America, Cisco, Amazon, and even my own company McAfee (see link) . The security of your webserver is now also dependent on the security of your employees workstation or laptop.
So what can be done to prevent this type of attack? It will really be dependent on your server configuration, but there are always steps that can be taken.
CLIENT SIDE: Lets start by looking at steps that your employees can take in order to help prevent their workstation from being compromised with the root of the cause, MALWARE. These are not in any real order of convenience or impact of security.
1. Make sure that your anti virus is up to date: Even though there is a very low detection rate on these exploits, it is always recommended to have an Antivirus installed and make sure that it is updated regularly.
2. Make sure that you are running Windows Update: The more patched your system is, the less exploits you are giving an attacker to try to compromise your workstation with.
3. Make sure you get over to Adobe.com and update both Flash and Acrobat : These for the most part, are the exploits that attackers are attempting to compromise your workstation with. They are using exploits that have been identified in flash and acrobat months ago and have already been secured by adobe.
4. Disable Javascript access to Adobe Reader: Very useful and for the most part, you wont notice it disabled.
- Click on "Edit" from the file menu bar, then "Preferences."
- From the open dialog box, select the "JavaScript" item.
- Uncheck "Enable Acrobat JavaScript".
- Click "OK" .
5. Use a Secure FTP client if available: One of the methods that attackers are attempting to retrieve your FTP credentials, is to sniff out your plain text passwords when you connect out to your FTP server. If you use a secure FTP client, your passwords will not be sent in plain text or unencrypted. You will want to make sure that your FTP server accepts Secure FTP authentication.
6. Run an anti malware program like Malwarebytes: This is an awesome application that will attempt to discover if malware such as gumblar is infecting your workstation.
7. Change your passwords more frequently: Change your passwords often. This includes your workstation , FTP, cPanel or Bind, ect ect. There are even settings that will automatically change your FTP credentials Daily. You might want to utilize this feature until this trend calms down (or forever).
8. Install a client side firewall that checks for open inbound and outbound connections and alerts you of any changes: An example would be Zone alarm: These are extremely annoying but will be beneficial in the long run.
Server Side: Now lets look at server side modifications that will assist in the prevention of Gumblar based attacks. Once again, in no order.
Do you think that your website is a current victim of Gumblar? Step on over to www.unmaskparasites.com and find out.
1. Install an FTP server that allows Secure connections: There are so many FTP applications out there that allow the client to connect using a secure connection. For all you know, the FTP server you are using now might have this feature. Check it out.
2. Individualize FTP user credentials: Go back and reassess who has credentials. Do they actually need them? If they do, individualize the user name. This will assist in determining where the insecurity is coming from. You will be able to identify what user is compromised and is leaking their credentials.
3. IP restrict your FTP server: Create a whitelist of all IP addresses or ranges that are currently accessing your FTP server. Blacklist everything else.
4. Setup some type of application or routine that checks new or modified files on the server for unauthorized modification: Catch them in the act and prevent them from being able to modify files. List your file system by last modified and verify that the modification is authorized.
5. Routinely check your FTP log files for unauthorized activity: Grab your FTP log files on a daily or weekly basis and review all inbound connections. Check the IP address that established a connection and verify that it is authorized.
6. Make sure that you are running some type of Root Kit detection application on a regular basis: Added Protection, nuff said.
7. Step on over to a site like Unmaskparasites.com and check your site for current presence of malware. Wepawet is also another service that is used for analyzing malware sites. (quickly identifying malware on your website is something that I would consider damage prevention)
I think I have touched on most of the current methods of prevention. All of these are not necessary but will all help in prevention. If you are on a shared server, contact your hosting company and ask what they can do you to help prevent this issue.
Last but not least, if you have any other methods for prevention, let me know.
Posts
2 comments:
This reads like a very thorough list. Some names and links to sites to follow through with more of your recommendations would be very helpful. I know you can search on Google. But it can be hard and time-consuming to distinguish between genuine advice and promotion. Anyway, thanks for the list.
Anonymous: I will work on updating current post with recent trends and any new applications that I stumble on that will assist in preventing these types of attacks.
Post a Comment