1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

FTP hijacking

Discussion in 'General Chat' started by blueskyrentals, Feb 8, 2005.

  1. #1
    Hi folks,

    "Long time listener, first time caller" :D

    I have an "inactive" website with FTP for data transfer for my customers. I say inactive, because this site is seldom used (by me).

    I've just checked the stats, and was extremely surprised to see the activity on my site. Did a little more digging, and found that my FTP had been hijacked by someone registered in Saudi Arabia. I've found wmv's of the beheading of the American reporter, as well as a phpBB set up. Naturally, I cannot read arabic-

    Without getting too paranoid about the contents of the files uploaded to my server, who do I report this to? I've made my admin aware of the situation, and I have the capability of deleting all the files from the server. Of course, if the purpose of the bb is nefarious, I'd like to report it to someone who may have other interests (Homeland Security? or am I too paranoid?)

    TIA,

    Blue
     
    blueskyrentals, Feb 8, 2005 IP
  2. flawebworks

    flawebworks Tech Services

    Messages:
    991
    Likes Received:
    36
    Best Answers:
    1
    Trophy Points:
    78
    #2
    This happened because anonymous ftp was turned on. *Anybody* can use your space to upload files to.

    First thing you should do; is shut off the anonymous ftp. Contact your host. If anything; they would be the ones to contact any powers that be; but I doubt they'll do much of anything. IF you want; you could save the files yourself and contact your local fbi.

    Chances are; you won't be able to delete the files yourself; people who use other peoples ftp space via anonymous ftp like to use spaces in the filenames and other weird characters. Makes it difficult for the average user to delete files. You can also try thru IE- sometimes deleting files in this manner works when no other will. If you can't delete the files; contact your host and request they delete the files.

    Again: turn off anonymous ftp.
     
    flawebworks, Feb 8, 2005 IP
  3. Crazy_Rob

    Crazy_Rob I seen't it!

    Messages:
    13,157
    Likes Received:
    1,366
    Best Answers:
    0
    Trophy Points:
    360
    #3
    What platform is the site on?
     
    Crazy_Rob, Feb 8, 2005 IP
  4. blueskyrentals

    blueskyrentals Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Platform is Unix, admin has shut CPanel off already. I've downloaded a full backup before it was shut down-

    Also, I'll have to trust your judgement that the host will do any necessary reporting. I expect some communication with the host soon.

    There are (were) some really disturbing wmv's uploaded. Made me sick to look at them...

    Anonymous login should not have been enabled. Security was tantamount for transferring proprietary information (Big 3 auto makers, sometimes more secretive than the CIA) :D

    Blue
     
    blueskyrentals, Feb 8, 2005 IP
  5. ResaleBroker

    ResaleBroker Active Member

    Messages:
    1,665
    Likes Received:
    50
    Best Answers:
    0
    Trophy Points:
    90
    #5
    That doesn't sound too paranoid to me especially considering the content. It can't be too terribly hard to report this kind of stuff and I wouldn't leave the reporting up to your host.

    Here's a link to Homeland Security.
     
    ResaleBroker, Feb 8, 2005 IP
  6. Diamondbacks

    Diamondbacks Peon

    Messages:
    107
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Who knows, you might have information on your server the US Government could use right now.
     
    Diamondbacks, Feb 8, 2005 IP
  7. blueskyrentals

    blueskyrentals Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Downloaded data going to law enforcement for investigation. May be nothing, may be something. I certainly cannot tell. Anyone fluent in Arabic out there? (tar backup, 7mb)

    However, I've noticed a lot of activity in the immediately preceeding months from a website dealing in website security. Their activity stopped at the end of December, and the "hijack" began in early January. Coincidence? My gut says "No"...

    Blue :(
     
    blueskyrentals, Feb 8, 2005 IP
  8. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Keep in mind that under some circumstances you may be found liable for not providing adequate level of security on your server (same goes to your hosting company). If you report this to anybody, make sure that you have all logs describing bad guys' activity and that you know exactly how they got in (dictionary-attacking existing account, using some vulnerability, etc), the extent of the penetration (e.g. whether it's only the FTP server that got hijacked or some other services got afected too) and what they did while there (e.g. whether they attacked any other sites). Simply put, gather as much info as you can and back it up for a long, long time.

    J.D.
     
    J.D., Feb 8, 2005 IP
  9. Diamondbacks

    Diamondbacks Peon

    Messages:
    107
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Liable for what?
     
    Diamondbacks, Feb 8, 2005 IP
  10. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Just like I said in the post - for not providing adequate security. It does seem unfair, but that's how things are. Imagine you don't lock your car and leave the keys in the ignition, then you don't notice it's been gone for a week. Now imgine this car was involved in an accident and caused some damage, guess who's going to go to court?

    J.D.
     
    J.D., Feb 8, 2005 IP
  11. Crazy_Rob

    Crazy_Rob I seen't it!

    Messages:
    13,157
    Likes Received:
    1,366
    Best Answers:
    0
    Trophy Points:
    360
    #11
    You're not a lawyer, are you?
     
    Crazy_Rob, Feb 8, 2005 IP
  12. Diamondbacks

    Diamondbacks Peon

    Messages:
    107
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #12
    I guess that makes sense.
     
    Diamondbacks, Feb 8, 2005 IP
  13. Blogmaster

    Blogmaster Blood Type Dating Affiliate Manager

    Messages:
    25,924
    Likes Received:
    1,354
    Best Answers:
    0
    Trophy Points:
    380
    #13
    If you witness suspicious activity and make a decision not to report it, yes ... you can definitely be held liable!
     
    Blogmaster, Feb 8, 2005 IP
  14. blueskyrentals

    blueskyrentals Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #14
    All info given to computer crimes lab at local level law enforcement. Up here, it's pretty much all rolled into one complex- city police, county sheriff, local FBI office, etc. Best to be on their good side :p forgot to mention staties and tribal police- we've got 'em all.
     
    blueskyrentals, Feb 8, 2005 IP
  15. david_sakh

    david_sakh Peon

    Messages:
    1,225
    Likes Received:
    29
    Best Answers:
    0
    Trophy Points:
    0
    #15
    lol terrorists getting poor these days. :)

    loser couldn't even afford a web host. :D

    but yeah, anonymous FTP is a horrible idea. Anyone could delete everything or replace your product images with pr0n.
     
    david_sakh, Feb 8, 2005 IP
  16. Hijacker

    Hijacker Peon

    Messages:
    151
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #16
    Ah well, even if anonymous FTP was turned off... Don't worry. Some people who hacked in your server and wanted to use it as their porn/violence/snuff/warez/whatever platform... Just some small potatoes.

    I bet there won't come anything big out of it :)
     
    Hijacker, Feb 8, 2005 IP
  17. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #17
    Not if the FTP server's set up properly. Anonymous logins must only be configured as read-only accounts. As far as non-anonymous logins go, most people use simple, one word, one case, letters-only passwords. Most of such passwords can be easily broken by a simple dictionary attack. The only protection against this, besides good passwords, is a proper lock-out policy in place. For example, to disable account for 30 minutes after 5 failed attempts.

    J.D.
     
    J.D., Feb 8, 2005 IP
  18. flawebworks

    flawebworks Tech Services

    Messages:
    991
    Likes Received:
    36
    Best Answers:
    1
    Trophy Points:
    78
    #18
    This is a good one - and I see it all the time as well: aaaaaa or 123456.

    One doesn't even need to do a dictionary attack. With ftp; all you need is a packet sniffer.
     
    flawebworks, Feb 8, 2005 IP
  19. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #19
    If your network set up correctly, chances of somebody sniffing your packets aren't that great. That is, a direct T1 (office) or a DSL (home) connection going to your ISP and then through a few backbone routers are usually fairly safe in this sense. Things change when it gets into the IDC. Most one-machine installations share the same LAN with a bunch of other folks and this is where it gets quite simple to redirect traffic. There are ways to fight this, though, so overall, with all speed bumps in place, it isn't as simple as one might think.

    But, then again, an SSL-capable FTP server is always a good alternative :)

    J.D.
     
    J.D., Feb 8, 2005 IP