homepage Welcome to WebmasterWorld Guest from 54.161.155.142
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Server Passwords Hacked?
Need to brain storm for sanity
Edge




msg:4009489
 3:16 pm on Oct 19, 2009 (gmt 0)

Ok, here's the story - I run on FreeBSD and have been for ten years. About three weeks ago I found some garbled code above the header of some php files. It appeared to be a sql or php injection. I could never pin down exactly how they did it so I disabled anything that could be used as a file transfer protocol, locked down everything and changed all passwords - ftp included.

I created a new virtual host on my server and started a new website nine days ago. Since then I have changed the ftp password three times because I needed to give ftp access to a software vendor. After the software folks did their thing I changed the pw.

Yesterday, I got hacked on my NEW website (five day old password) and whoever put an iframe at the top of several files to a website that executes a Trojan of some sort.

So, I searched the website log files high and low and could not find a www event that coincided with the affected file change time nothing. Remember, this is a new site so there is not much traffic.

Finally, I looked in the /var/log/ftp log files and there it was they had first logged in on the old site logged out and then logged in to the new virtual website, changed directories and uploaded files.

A hacker has my ftp logins and passwords! Now, these passwords are totally wild as I use a combination of letters, numbers, lower and upper case. The chances that somebody cracked both passwords are less than me winning the lotto five times in a row Im the only person in the world that knows these passwords period (so I thought).

Yes, I have changed everything, done virus scans and even called the host.

So, Im looking for theories heres mine:

Keystroke logger of some flavor on my pcs

Hosting company hacked my password files? These are encrypted..

The hacker has since tried to login three times - Im totally paranoid.

Thanks,

 

encyclo




msg:4009566
 4:48 pm on Oct 19, 2009 (gmt 0)

There is a worm/virus going about which installs on the person's Windows PC and extracts FTP passwords, in particluar from the FileZilla FTP program (which by default stores those passwords in a plain-text configuration file). This should probably be your first port of call, before checking other possibilities.

You should really consider removing FTP access and switching to the secure SSH protocol - FTP passwords are sent over the wire in plain text, so the protocol is inherently insecure and is only really used for legacy purposes.

Edge




msg:4010047
 1:22 pm on Oct 20, 2009 (gmt 0)

Thanks for the reply encyclo.

Yes, I did have Filezilla on my pc and used the software frequently to down and upload files. Your right in that Filezilla stores passwords, logins, ftp host in easy to steal text.

Your theory is the most probable scenario for me as this is the only common link for both accounts. Also, my other accounts accessed on these pc's (paypal, bank, bank#2, etc) have not been compromised.

Do you know the name of the virus by any chance?

encyclo




msg:4010400
 10:46 pm on Oct 20, 2009 (gmt 0)

You should start by checking for "Gumblar", there are a few variants around causing havoc:

[en.wikipedia.org...]
[news.cnet.com...]

Not only does it specifically seek out FTP credentials from FileZilla and Dreamweaver, it also sniffs traffic via the network card.

The worm usually uses vulnerabilities in Adobe Reader to gain access to your machine (simply viewing a specialy-crafted PDF file with a vulnerable version is sufficient), so make sure that program (if you have it installed) is up to date - at the time of writing, the current version of Acrobat Reader is 9.2.0.

graeme_p




msg:4011452
 11:05 am on Oct 22, 2009 (gmt 0)

so make sure that program (if you have it installed) is up to date - at the time of writing, the current version of Acrobat Reader is 9.2.0.

Even better, use a different PDF reader. Of course, if you used Linux on the desktop you would get a different PDF reader installed by default, and probably a file manager that can do sftp (and lots of sftp tools installable in a couple of clicks).

I use rsync over ssh for copying files, and a text editor that can open files over ssh for stuff that I need to edit directly on the server. You can definitely do the former on Windows, I would be surprised if you cannot do the latter.

Edge




msg:4013272
 3:15 am on Oct 26, 2009 (gmt 0)

Well, I had Adobe 6.0 professional on both computers I use. I had not updated either copy in at least a couple of years - shame on me.

I never accessed my websites via Dreamweaver. Filezilla is sure convenient and an easy to use ftp client. I currently have FTP disabled on all accounts.

maximillianos




msg:4018196
 2:33 pm on Nov 3, 2009 (gmt 0)

Are you using secure FTP (SFTP)? If not, your password could be read by anyone eavesdropping the internet.

If you don't have it already, download a SSH client, disable your FTP ports and only use SSH/SFTP from now on.

creative craig




msg:4018209
 2:52 pm on Nov 3, 2009 (gmt 0)

Is the SFTP facility in Filezilla good enough to use?

caribguy




msg:4018216
 3:03 pm on Nov 3, 2009 (gmt 0)

Javascript execution is enabled by default in Adobe 6.0 pro.

Edit > Preferences > Javascript > uncheck "Enable Acrobat JavaScript" would be a good start if you intend to keep using your existing version of Acrobat.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved