How to compromise a secure website. (Gumblar)

After watching the recent trend of Gumblar and its method of exploitation, you really have to ask yourself "How the hell do you protect your customers from this". Yes, their sever is compromised, But did it occur from a Web Application Vulnerability. Chances are the answer is "No". The majority of cases that I have seen from this recent trend, are all exploited through obtaining the FTP user credentials from a webmaster through their compromised workstation loaded with malware.

Now sitting back and thinking about this method of attack, you can really identify a lot of benefits to this type of exploitation.

1. You could technically compromise a completely secure web application and server. (ya I know, I am being loose on the word secure web application here)
2. For the most part, even if you remove the malicious links, you still need to track down the workstation that is compromised, which would result in a high probability of future compromise.
3. Once the infected workstation is detected, can you really do anything to secure it from this type of attack occurring again?
4. How long are these malicious urls up on the website before a trend is found and is flagged in an application such as Google Safe Browsing?

Sitting back and thinking about this, it is now a little easier for me to understand why an attacker with full FTP credentials to a website, would only go as far to place a small malicious link on their victims pages. There is no complete defacement, and no attempt to discover sensitive information on the webserver. From this you can easily discover the motivation for this type of attack. MONEY!.

I will just link to my last post that contains best practices to assist with prevention and increase security. Here

Botnets spreading their love to webservers, via obtaining FTP Credentials from a malware infected workstation.

A nice little trend has been popping up and is becoming way more than a mere coincidence. Lately, a couple of customers have been calling up stating that their website has been compromised. The trend is usually the same where the good ol' malicious link has been embedded into multiple pages on their website. This trend has been very common with automated SQL injection attacks, but lately SQL injection has not been the culprit. After conducing an investigation, I have been identifying that the issue has been the result of an FTP breach. Now I have seen this method of breach occur in the past with the .htaccess file being modified (see previous post)

When an FTP breach usually occurs, you start running the customer through the traditional. Do you use strong passwords, do you change your password regularly, how many users share the login/pass in question, is your FTP application up to date with the latest security related patches? All of these have been coming back with an answer supplied that tend to rule out a possible exploit.

Now, I find that there are a lot of interesting things here, so I will try to remember all of the ones of the top of my head.

So far, I have seen 3 possible methods of exploitation.
1. The users FTP credentials are being compromised through malware installed on the clients workstation.
2. The FTP user credentials can be sniffed via plain text authentication.
3. The user is using weak FTP passwords, and can be brute forced (although I do not see any brute forcing in the FTP log files, I will still leave it open as a possibility)

While all of the instances that I have seen, look like they have been coming from malware installed on the clients workstation, I am a security analyst and always recommend solutions to cover all bases of possible methods of exploitation.

So what I find really interesting, is that an attacker/hacker has your FTP credentials, and all that they are doing, is embedding a link onto your website. I do not see any actions of defacement, installing backdoors, or attempting to obtain sensitive information. To me, this is quite odd. These are not hackers who are looking to create a name for themselves or trying to steal CC info out of your database. These are hackers, who are trying to spread their infection by crawling over the top of the single user, and passing their tactics onto your webserver to assist with growth.

I feel that this trend is very interesting because it further backs up the Security Professionals opinion that Botnets are evolving and becoming very specific on their objective and method of exploitation.

I will close out this post with recommendations to the client on what they can do to help secure the issue and assist with identifying the method of exploitation.

1. Change FTP user credentials often using strong passwords.
2. Hand out individual FTP credentials to anyone accessing the FTP server. This will assist with identifying where the FTP credentials are being leaked and is just good security practices. You will also want to remove all users who do not need access to the webserver.
3. Use a secure FTP server and client application. This will prevent the FTP authentication from being passed in plain text. Make sure you update your FTP server/client application to the most recent version or patch with all recent security related patches.
4. Run an anti-virus and malware detection tool on all workstations regularly.
5. Review FTP log files regularly looking for unauthorized authentication.


and the bonus question
.
Why is there not a popular application that exists or addon built into an ftp server, cpanel or plesk that notifies the client if a file has been added or modified within their account. This would prevent out of the ordinary modifications or new files from going unnoticed? And if there is one, why is it not in widespread use?