Compromised System: FTP


A domain/domains have had malicious code appended to common index files on the system (index.php, index.html, etc). This is a common exploit method used to compromise CLIENTS connecting to the targetted system because of its status as a trusted host.


Client anti-virus scanners detect malicious ActiveX, Flash, Javascript ext code when browsing the site.

Vector of Attack

The most common vector of attack used is to compromise a users FTP password, using the same means as above. It is very common in hosting environments. The attacker then logs in with legitimate credentials, downloads web files (index.html, index.php, etc) and then uploads them with malicious code appended.

Forensic Procedures

Step 1) Check last logs for the owner(s) of the effected domain, in this example the user is “david”:

[root@server1 ~]# last david
david    ftpd32001          Thu Nov 27 02:49 - 03:15  (00:25)
david    ftpd26860          Thu Nov 27 02:37 - 02:48  (00:11)
david    ftpd32383     Sun Nov 23 17:34 - 17:37  (00:03)
david    ftpd15631          Mon Nov 17 11:36 - 11:45  (00:08)
david    ftpd8814          Mon Nov 17 11:27 - 11:32  (00:04)
david    ftpd8277          Mon Nov 17 11:27 - 11:32  (00:05)
david    ftpd8018          Sun Nov 16 05:40 - 05:45  (00:04)
david    ftpd7710          Sun Nov 16 05:40 - 05:45  (00:05)
david    ftpd7634          Sun Nov 16 05:39 - 05:44  (00:04)
david    ftpd18673     Fri Nov  7 16:01 - 16:04  (00:02)

Consult with the user what IP’s they commonly connect with. In this example the IP is known to be the users legitimate IP. is the anomaly, and needs to be further investigated.

Step 2) Check /var/log/secure for access from the anomaly IP, This is to identify how the account was accessed. A single login, with no failures would indicate that the attacker knew the users password in advance, indicating a compromised desktop. Multiple login failures would indicate that the attacker used a brute force attack to determine valid login credintials.

[root@server1 log]# grep /var/log/secure*
secure.4:Oct 31 11:04:35 server1 proftpd[23203]: ([]) - USER hrmmv: Login successful.
secure.3:Nov  7 16:01:43 server1 proftpd[18673]: ([]) - USER hrmmv: Login successful.
secure:Nov 23 17:34:10 server1 proftpd[32383]: ([]) - USER hrmmv: Login successful.

This example indicates that the attacker logged in on 3 separate occasions, with no login failures, indicating that the login credentials were known in advance.

Step 3) Using whois, identify the location for the IP:

[sshinn@gamera incoming]$ whois
% Information related to ' -'
inetnum: -
netname:        NEWRACK-NL
descr: NL department
country:        NL
admin-c:        SVS148-RIPE
tech-c:           SVS148-RIPE
status:           ASSIGNED PA
mnt-by:           WEDARE-MNT
source:         RIPE # Filtered
person:         Sergey V. Smirnoff
address:        OOO "Ronetel"
address:        Lenina 129 o. 17
address:        Moscow
address:        Russia
phone:          +852 812 4838
fax-no:         +852 812 4838
nic-hdl:        SVS148-RIPE
source:         RIPE # Filtered

Step 4) Check the xfer_logs for the domain, which are located in: /var/www/vhosts/DOMAIN/statistics/xferlog_regular and /var/www/vhosts/DOMAIN/statistics/xferlog_regular.processed.1.gz

[root@server1 logs]#  grep /var/www/vhosts/DOMAIN/statistics/xferlog_regular
Thu Nov 27 02:43:39 2008 299 4658688 /var/www/vhosts/DOMAIN/httpdocs/index.php a _ o r david ftp 0 * c


Using the above examples, this would indicate that the IP of, in .eu IP space, logged into the account on Nov 23, Nov 7, and Oct 31. On Nov 23, they uploaded the file index.php, which contained the malware. There were no login failures, indicating the credentials were known in advance. This could indicate that the users desktop has been compromised.