5
votes

I have had an attack on my web server where .html files were copied by FTP into a public html directory.

The FTP password was very strong.

I'm trying to determin whether PHP initiated the FTP transfer. Is there an Apache or Nix log file that can give me this information?

Additional information I have FTP log entries which seem to show different IPs were used to login and copy the files. I'm not sure but does the ? before the IP indicate except it is not the account user (which in this case is kingdom)? It looks like several different IPs logged - each one copying a different file - all in the space of less than 30 seconds. The offending files are "mickey66.html", "mickey66.jpg", and "canopy37.html".

2010-06-17T21:24:02.073070+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in

2010-06-17T21:24:06.632472+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in

2010-06-17T21:24:07.216924+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/mickey66.html uploaded (80 bytes, 0.26KB/sec)

2010-06-17T21:24:07.364313+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.

2010-06-17T21:24:08.711231+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in

2010-06-17T21:24:10.720315+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/mickey66.jpg uploaded (40835 bytes, 35.90KB/sec)

2010-06-17T21:24:10.848782+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.

2010-06-17T21:24:18.528074+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.

2010-06-17T21:24:22.023673+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in

2010-06-17T21:24:23.470817+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/mickey66.html uploaded (80 bytes, 0.38KB/sec)

2010-06-17T21:24:23.655023+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.

2010-06-17T21:24:26.249887+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in

2010-06-17T21:24:28.461310+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/canopy37.html uploaded (80 bytes, 0.26KB/sec)

2010-06-17T21:24:28.760513+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.

3

3 Answers

2
votes

You might have a malware on your workstation that runs your FTP client. The malware must steal passwords from your FTP client and send it to some third-party.

This happened to us. All our landing pages were injected with malicious code/ iframe-url code that will download this malware on all machines that opens the page in browser.

1
votes

I have had an attack on my web server where .html files were copied by FTP into a public html directory.

How do you know they were copied via FTP?

The FTP password was very strong.

Not really very relevant. FTP sends passwords unencrypted - so even assuming that the files were delivered via FTP, if the password was sniffed its irrelevant how much entropy it has.

I'm trying to determin whether PHP initiated the FTP transfer

You can't tell what the client was. Even if, like HTTP, the protocol provided for collecting information about the user-agent, there is no way of determining the accuracy of this information (it's sent by the client, therefore can be manipulated by the client).

Your FTP server log should have recorded details of which IP address / user account uploaded which files and when. But don't be surprised if there's nothing relevant in there.

C.

1
votes

As far as I know, the FTP protocol does not have a User-Agent header or anything similar. Even if it had so, why would malware writers add code to actively identify their software as malware? And, why would you want to prevent legitimate use of scripting tools like PHP?

These kind of attacks normally come from two sources:

  • Vulnerable scripts hosted in a public web server
  • Hosting clients that got their PCs compromised

If —as you seem to suggest— you actually have FTP logs to prove that those files were uploaded via FTP using your credentials, you probably have the IP address the files came from. Check whether it's your address and, in any case, grab a good virus scanner.