|Server Passwords Hacked?|
Need to brain storm for sanity
| 3:16 pm on Oct 19, 2009 (gmt 0)|
Ok, here's the story - I run on FreeBSD and have been for ten years. About three weeks ago I found some garbled code above the header of some php files. It appeared to be a sql or php injection. I could never pin down exactly how they did it so I disabled anything that could be used as a file transfer protocol, locked down everything and changed all passwords - ftp included.
I created a new virtual host on my server and started a new website nine days ago. Since then I have changed the ftp password three times because I needed to give ftp access to a software vendor. After the software folks did their thing I changed the pw.
Yesterday, I got hacked on my NEW website (five day old password) and whoever put an iframe at the top of several files to a website that executes a Trojan of some sort.
So, I searched the website log files high and low and could not find a www event that coincided with the affected file change time – nothing. Remember, this is a new site so there is not much traffic.
Finally, I looked in the /var/log/ftp log files and there it was – they had first logged in on the old site – logged out and then logged in to the new virtual website, changed directories and uploaded files.
A hacker has my ftp logins and passwords! Now, these passwords are totally wild as I use a combination of letters, numbers, lower and upper case. The chances that somebody cracked both passwords are less than me winning the lotto five times in a row… I’m the only person in the world that knows these passwords – period (so I thought).
Yes, I have changed everything, done virus scans and even called the host.
So, I’m looking for theories – here’s mine:
Keystroke logger of some flavor on my pc’s
Hosting company hacked my password files? These are encrypted..
The hacker has since tried to login three times - I’m totally paranoid.
| 4:48 pm on Oct 19, 2009 (gmt 0)|
There is a worm/virus going about which installs on the person's Windows PC and extracts FTP passwords, in particluar from the FileZilla FTP program (which by default stores those passwords in a plain-text configuration file). This should probably be your first port of call, before checking other possibilities.
You should really consider removing FTP access and switching to the secure SSH protocol - FTP passwords are sent over the wire in plain text, so the protocol is inherently insecure and is only really used for legacy purposes.
| 1:22 pm on Oct 20, 2009 (gmt 0)|
Thanks for the reply encyclo.
Yes, I did have Filezilla on my pc and used the software frequently to down and upload files. Your right in that Filezilla stores passwords, logins, ftp host in easy to steal text.
Your theory is the most probable scenario for me as this is the only common link for both accounts. Also, my other accounts accessed on these pc's (paypal, bank, bank#2, etc) have not been compromised.
Do you know the name of the virus by any chance?
| 10:46 pm on Oct 20, 2009 (gmt 0)|
You should start by checking for "Gumblar", there are a few variants around causing havoc:
Not only does it specifically seek out FTP credentials from FileZilla and Dreamweaver, it also sniffs traffic via the network card.
The worm usually uses vulnerabilities in Adobe Reader to gain access to your machine (simply viewing a specialy-crafted PDF file with a vulnerable version is sufficient), so make sure that program (if you have it installed) is up to date - at the time of writing, the current version of Acrobat Reader is 9.2.0.
| 11:05 am on Oct 22, 2009 (gmt 0)|
|so make sure that program (if you have it installed) is up to date - at the time of writing, the current version of Acrobat Reader is 9.2.0. |
Even better, use a different PDF reader. Of course, if you used Linux on the desktop you would get a different PDF reader installed by default, and probably a file manager that can do sftp (and lots of sftp tools installable in a couple of clicks).
I use rsync over ssh for copying files, and a text editor that can open files over ssh for stuff that I need to edit directly on the server. You can definitely do the former on Windows, I would be surprised if you cannot do the latter.
| 3:15 am on Oct 26, 2009 (gmt 0)|
Well, I had Adobe 6.0 professional on both computers I use. I had not updated either copy in at least a couple of years - shame on me.
I never accessed my websites via Dreamweaver. Filezilla is sure convenient and an easy to use ftp client. I currently have FTP disabled on all accounts.
| 2:33 pm on Nov 3, 2009 (gmt 0)|
Are you using secure FTP (SFTP)? If not, your password could be read by anyone eavesdropping the internet.
If you don't have it already, download a SSH client, disable your FTP ports and only use SSH/SFTP from now on.
| 2:52 pm on Nov 3, 2009 (gmt 0)|
Is the SFTP facility in Filezilla good enough to use?
| 3:03 pm on Nov 3, 2009 (gmt 0)|