FTP hijacking

Hi folks,

"Long time listener, first time caller"

I have an "inactive" website with FTP for data transfer for my customers. I say inactive, because this site is seldom used (by me).

I've just checked the stats, and was extremely surprised to see the activity on my site. Did a little more digging, and found that my FTP had been hijacked by someone registered in Saudi Arabia. I've found wmv's of the beheading of the American reporter, as well as a phpBB set up. Naturally, I cannot read arabic-

Without getting too paranoid about the contents of the files uploaded to my server, who do I report this to? I've made my admin aware of the situation, and I have the capability of deleting all the files from the server. Of course, if the purpose of the bb is nefarious, I'd like to report it to someone who may have other interests (Homeland Security? or am I too paranoid?)

TIA,

Blue

 

This happened because anonymous ftp was turned on. *Anybody* can use your space to upload files to.

First thing you should do; is shut off the anonymous ftp. Contact your host. If anything; they would be the ones to contact any powers that be; but I doubt they'll do much of anything. IF you want; you could save the files yourself and contact your local fbi.

Chances are; you won't be able to delete the files yourself; people who use other peoples ftp space via anonymous ftp like to use spaces in the filenames and other weird characters. Makes it difficult for the average user to delete files. You can also try thru IE- sometimes deleting files in this manner works when no other will. If you can't delete the files; contact your host and request they delete the files.

Again: turn off anonymous ftp.

 

What platform is the site on?

 

Platform is Unix, admin has shut CPanel off already. I've downloaded a full backup before it was shut down-

Also, I'll have to trust your judgement that the host will do any necessary reporting. I expect some communication with the host soon.

There are (were) some really disturbing wmv's uploaded. Made me sick to look at them...

Anonymous login should not have been enabled. Security was tantamount for transferring proprietary information (Big 3 auto makers, sometimes more secretive than the CIA)

Blue

 

That doesn't sound too paranoid to me especially considering the content. It can't be too terribly hard to report this kind of stuff and I wouldn't leave the reporting up to your host.

Here's a link to Homeland Security.

 

Who knows, you might have information on your server the US Government could use right now.

 

Downloaded data going to law enforcement for investigation. May be nothing, may be something. I certainly cannot tell. Anyone fluent in Arabic out there? (tar backup, 7mb)

However, I've noticed a lot of activity in the immediately preceeding months from a website dealing in website security. Their activity stopped at the end of December, and the "hijack" began in early January. Coincidence? My gut says "No"...

Blue

 

Keep in mind that under some circumstances you may be found liable for not providing adequate level of security on your server (same goes to your hosting company). If you report this to anybody, make sure that you have all logs describing bad guys' activity and that you know exactly how they got in (dictionary-attacking existing account, using some vulnerability, etc), the extent of the penetration (e.g. whether it's only the FTP server that got hijacked or some other services got afected too) and what they did while there (e.g. whether they attacked any other sites). Simply put, gather as much info as you can and back it up for a long, long time.

J.D.

 

Liable for what?

 

Just like I said in the post - for not providing adequate security. It does seem unfair, but that's how things are. Imagine you don't lock your car and leave the keys in the ignition, then you don't notice it's been gone for a week. Now imgine this car was involved in an accident and caused some damage, guess who's going to go to court?

J.D.

 

You're not a lawyer, are you?

 

I guess that makes sense.

 

If you witness suspicious activity and make a decision not to report it, yes ... you can definitely be held liable!

 

All info given to computer crimes lab at local level law enforcement. Up here, it's pretty much all rolled into one complex- city police, county sheriff, local FBI office, etc. Best to be on their good side forgot to mention staties and tribal police- we've got 'em all.

 

lol terrorists getting poor these days.

loser couldn't even afford a web host.

but yeah, anonymous FTP is a horrible idea. Anyone could delete everything or replace your product images with pr0n.

 

Ah well, even if anonymous FTP was turned off... Don't worry. Some people who hacked in your server and wanted to use it as their porn/violence/snuff/warez/whatever platform... Just some small potatoes.

I bet there won't come anything big out of it

 

Not if the FTP server's set up properly. Anonymous logins must only be configured as read-only accounts. As far as non-anonymous logins go, most people use simple, one word, one case, letters-only passwords. Most of such passwords can be easily broken by a simple dictionary attack. The only protection against this, besides good passwords, is a proper lock-out policy in place. For example, to disable account for 30 minutes after 5 failed attempts.

J.D.

 

This is a good one - and I see it all the time as well: aaaaaa or 123456.

One doesn't even need to do a dictionary attack. With ftp; all you need is a packet sniffer.

 

If your network set up correctly, chances of somebody sniffing your packets aren't that great. That is, a direct T1 (office) or a DSL (home) connection going to your ISP and then through a few backbone routers are usually fairly safe in this sense. Things change when it gets into the IDC. Most one-machine installations share the same LAN with a bunch of other folks and this is where it gets quite simple to redirect traffic. There are ways to fight this, though, so overall, with all speed bumps in place, it isn't as simple as one might think.

But, then again, an SSL-capable FTP server is always a good alternative

J.D.