Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: phranque
Yes, I've purged or updated php scripts... but,? Don't attacks using them cause internal transfers only, not via ftp? The host ISP has run their virus cleaner on my directories. There's barely anything left to suspect in a php file.
ISP is saying keylogger... clean my uploading XP computer... but multiple passes by several different anti-virus and two resident ones and examining Task Manager for obscure processes (saw none) have all failed to stop the attacks. What more can I do to unmask a deeply hidden keylogger or even port sniffer on my own PC?
But just now a google result I'm reading (source [intranetjournal.com]) says:
Without secure FTP, it is very easy to hack a web site and edit it with digital graffiti. All a hacker has to do is find out the IP address of the web site using a reverse ping on the domain name, and then set up a sniffer to run 24 hours a day on the IP address to sniff and log the login connection. As soon as the web master logs in to update the site, the hacker's sniffer can grab and record the password and login information.
Q1... Is that saying the sniffer can exist god-knows-where out-there? So, I could format my C:drive and reinstall everything (OMG)... and still not solve the problem because an unknown zombie botnet is sniffing the password in transit on the net?
Q2... My shared ISP does not offer secure ftp. It does run Apache. Can I get anything to use from within my root directory (i.e. I don't have server-level access to do clever things). Recommendations? But then, how to block my files from normal ftp by the bot?
Q3... Suppose I create a partition for Linux on my local PC, learn to use it, install Filezilla under Linux, and expect to upload files in directories created and maintained under WinXP. Rebooting would be a pain every time I need to upload. But wouldn't that avoid any deeply hidden keylogger on my uploading PC? Meanwhile, can another local computer plugged into the same home network router/cable modem be doing the port sniffing so I'd also have to turn them off?
Q4... Changing targetted files to set 444 permissions (nobody supposed to write) is futile... they are overwritten anyway. and then become 644. Yet my own Filezilla gets blocked by the 444. How does the bot change permissions, and what log entry would show it? What does the entry look like?
Q5... Any way to set ftp up so writes can only be done only from one IP... mine ... without upsetting normal functioning? Remember its a shared server.
[edited by: encyclo at 1:22 pm (utc) on June 30, 2009]
[edit reason] added link to quoted source [/edit]
Try MalwareBytes Anti-Malware and RootkitRevealer if you have not done so already -- Both are free. RootkitRevealer is part of a large bunch of utilities written by Mark Russinovich and now owned by Microsoft. You can find it in the Technet section of their site.
If your host does not seem to be panicked and anxious to help you with this serious security problem, then I'll add a third recommendation to look for a new/serious/competent host. If you do move, be sure to read the threads here on how to do it properly without losing any traffic. For example, don't cancel the old host until the new one has been on-line for several days.
What did the hacks do? If they inserted iframes, do a web search on the domains referenced in the iframes. If they're mentioned in discussions about "gumblar" or "martuz", the current top threats, those are PC infections that steal FTP passwords.
SFTP is most important with wireless connections. As others mentioned, it's not that easy to sniff your hardwired internet connection or any section of it that is hardwired, but it's very easy to sit in a car outside your house and eavesdrop on your wireless connection if it's not encrypted.
Q3: Unless your situation is very uncommon, you shouldn't have to go through these complex gyrations to create a safe setup. If you're worried about deeply embedded spyware, keep scanning with more scanners and rootkit checkers.
Q4 and Q5: same as Q3. These sound basically like complicated workarounds for a situation that would be best to solve at its root.
I've not worked with a home network, but it seems intuitively likely that all the computers must be kept clean or an infection on one could easily be a hazard to all the others.
[edited by: SteveWh at 5:28 am (utc) on June 30, 2009]
[edited by: SteveWh at 5:26 am (utc) on June 30, 2009]
My shared ISP does not offer secure ftp
The really you should look for another host that does - there is little excuse for not offering secure FTP these days, it does sound as if your current host has an overly-lax attitude towards security which puts you at a disadvantage.
However, as FTP is a totally insecure protocol which should be deprecated in the same as was telnet, the plain-text password could have been intercepted anywhere.
Two of the several domain names were typo or variation of "analytics" and the URL ended with
I haven't seen the gumblar or martuz in domains in cn, which I read have been long shut-down.
I notified the domain registrar of the names I have seen. The most recent, a combination of words like "analytic" and "manager" has just now been cut off. Two prior names I saw were already cut off by the time I reported them. However, the miscreants have some free play time between when the domain registrar notifies the domain name owner of the problem and are allowed a time period for a reply. Of course, there is no reply. The people involved are too busy setting up their next domain name. Cat and mouse.