Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Hacker getting past FTP password - how?



7:43 pm on Jun 29, 2009 (gmt 0)

5+ Year Member

My web site has been hacked, several times, *by ftp*, and changing the password doesn't stop the next attack.

Yes, I've purged or updated php scripts... but,? Don't attacks using them cause internal transfers only, not via ftp? The host ISP has run their virus cleaner on my directories. There's barely anything left to suspect in a php file.

ISP is saying keylogger... clean my uploading XP computer... but multiple passes by several different anti-virus and two resident ones and examining Task Manager for obscure processes (saw none) have all failed to stop the attacks. What more can I do to unmask a deeply hidden keylogger or even port sniffer on my own PC?

But just now a google result I'm reading (source [intranetjournal.com]) says:

Without secure FTP, it is very easy to hack a web site and edit it with digital graffiti. All a hacker has to do is find out the IP address of the web site using a reverse ping on the domain name, and then set up a sniffer to run 24 hours a day on the IP address to sniff and log the login connection. As soon as the web master logs in to update the site, the hacker's sniffer can grab and record the password and login information.

Q1... Is that saying the sniffer can exist god-knows-where out-there? So, I could format my C:drive and reinstall everything (OMG)... and still not solve the problem because an unknown zombie botnet is sniffing the password in transit on the net?

Q2... My shared ISP does not offer secure ftp. It does run Apache. Can I get anything to use from within my root directory (i.e. I don't have server-level access to do clever things). Recommendations? But then, how to block my files from normal ftp by the bot?

Q3... Suppose I create a partition for Linux on my local PC, learn to use it, install Filezilla under Linux, and expect to upload files in directories created and maintained under WinXP. Rebooting would be a pain every time I need to upload. But wouldn't that avoid any deeply hidden keylogger on my uploading PC? Meanwhile, can another local computer plugged into the same home network router/cable modem be doing the port sniffing so I'd also have to turn them off?

Q4... Changing targetted files to set 444 permissions (nobody supposed to write) is futile... they are overwritten anyway. and then become 644. Yet my own Filezilla gets blocked by the 444. How does the bot change permissions, and what log entry would show it? What does the entry look like?

Q5... Any way to set ftp up so writes can only be done only from one IP... mine ... without upsetting normal functioning? Remember its a shared server.


[edited by: encyclo at 1:22 pm (utc) on June 30, 2009]
[edit reason] added link to quoted source [/edit]


8:00 pm on Jun 29, 2009 (gmt 0)

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

first thing i'd do is just change hosts and see what happens.


8:02 pm on Jun 29, 2009 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

I second changing your host.

Also, you don't have any enemies do you? If your site is on a shared server it probably isn't that huge and probably not worth a random hacker's time.


10:42 pm on Jun 29, 2009 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

"Sniffers" have to be inserted into the physical network between your computer and your server. Since the path through the 'middle' of that network (what we call the internet) is constantly changing due to dynamic packet routing, the only reliable places to put a sniffer are at or near the end-points. This means that sniffers are almost always an 'inside job' -- like a keylogger in/on your machine, or a sniffer installed in your host's data center.

Try MalwareBytes Anti-Malware and RootkitRevealer if you have not done so already -- Both are free. RootkitRevealer is part of a large bunch of utilities written by Mark Russinovich and now owned by Microsoft. You can find it in the Technet section of their site.

If your host does not seem to be panicked and anxious to help you with this serious security problem, then I'll add a third recommendation to look for a new/serious/competent host. If you do move, be sure to read the threads here on how to do it properly without losing any traffic. For example, don't cancel the old host until the new one has been on-line for several days.



11:02 pm on Jun 29, 2009 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Remember its a shared server.

Change hosts ..you have better things to do than teach them how to "harden" accounts.


5:11 am on Jun 30, 2009 (gmt 0)

5+ Year Member

PHP does have FTP functions, so a malicious PHP script injected into another script with RFI can use FTP to transfer files into and out of your site.

What did the hacks do? If they inserted iframes, do a web search on the domains referenced in the iframes. If they're mentioned in discussions about "gumblar" or "martuz", the current top threats, those are PC infections that steal FTP passwords.

SFTP is most important with wireless connections. As others mentioned, it's not that easy to sniff your hardwired internet connection or any section of it that is hardwired, but it's very easy to sit in a car outside your house and eavesdrop on your wireless connection if it's not encrypted.

Q3: Unless your situation is very uncommon, you shouldn't have to go through these complex gyrations to create a safe setup. If you're worried about deeply embedded spyware, keep scanning with more scanners and rootkit checkers.

Q4 and Q5: same as Q3. These sound basically like complicated workarounds for a situation that would be best to solve at its root.

I've not worked with a home network, but it seems intuitively likely that all the computers must be kept clean or an infection on one could easily be a hazard to all the others.

[edited by: SteveWh at 5:28 am (utc) on June 30, 2009]


5:17 am on Jun 30, 2009 (gmt 0)

5+ Year Member

Small websites on shared servers are prime targets for automated attacks. They're often vulnerable, and and big network of thousands of compromised small sites is more robust than one big compromised site. It's usually nothing personal. They don't want your website and have nothing against you; they want your server's computing power.

[edited by: SteveWh at 5:26 am (utc) on June 30, 2009]


1:16 pm on Jun 30, 2009 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

I agree with SteveWh above, this does look like you've got one of the "gumblar" worm variants which are targeting FTP passwords stored on your local machine. See if you can find some anti-virus removal tools specifically for those threats.

My shared ISP does not offer secure ftp

The really you should look for another host that does - there is little excuse for not offering secure FTP these days, it does sound as if your current host has an overly-lax attitude towards security which puts you at a disadvantage.


3:33 pm on Jun 30, 2009 (gmt 0)

10+ Year Member

What about his home network? Could that be compromised?


3:54 pm on Jun 30, 2009 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Sure, the home network could be compromised, but the current pattern of attacks almost all point to the password-stealing worms, so that remains he most likely explanation.

However, as FTP is a totally insecure protocol which should be deprecated in the same as was telnet, the plain-text password could have been intercepted anywhere.


7:19 pm on Jun 30, 2009 (gmt 0)

5+ Year Member

Yes, iframes.

Two of the several domain names were typo or variation of "analytics" and the URL ended with


I haven't seen the gumblar or martuz in domains in cn, which I read have been long shut-down.

I notified the domain registrar of the names I have seen. The most recent, a combination of words like "analytic" and "manager" has just now been cut off. Two prior names I saw were already cut off by the time I reported them. However, the miscreants have some free play time between when the domain registrar notifies the domain name owner of the problem and are allowed a time period for a reply. Of course, there is no reply. The people involved are too busy setting up their next domain name. Cat and mouse.


1:32 am on Jul 1, 2009 (gmt 0)

5+ Year Member

most hosts will have an account that is used by the staff to install/do maintaince etc. these accounts are sometimes really easy to gain access to. change your host ASAP

Featured Threads

Hot Threads This Week

Hot Threads This Month