Compromised System: FTP

Overview

A domain/domains have had malicious code appended to common index files on the system (index.php, index.html, etc). This is a common exploit method used to compromise CLIENTS connecting to the targetted system because of its status as a trusted host.


Indicators

Client anti-virus scanners detect malicious ActiveX, Flash, Javascript ext code when browsing the site.


Vector of Attack

The most common vector of attack used is to compromise a users FTP password, using the same means as above. It is very common in hosting environments. The attacker then logs in with legitimate credentials, downloads web files (index.html, index.php, etc) and then uploads them with malicious code appended.


Forensic Procedures

Step 1) Check last logs for the owner(s) of the effected domain, in this example the user is “david”:

[root@server1 ~]# last david
david    ftpd32001    1.2.3.4          Thu Nov 27 02:49 - 03:15  (00:25)
david    ftpd26860    1.2.3.4          Thu Nov 27 02:37 - 02:48  (00:11)
david    ftpd32383    92.48.201.31     Sun Nov 23 17:34 - 17:37  (00:03)
david    ftpd15631    1.2.3.4          Mon Nov 17 11:36 - 11:45  (00:08)
david    ftpd8814     1.2.3.4          Mon Nov 17 11:27 - 11:32  (00:04)
david    ftpd8277     1.2.3.4          Mon Nov 17 11:27 - 11:32  (00:05)
david    ftpd8018     1.2.3.4          Sun Nov 16 05:40 - 05:45  (00:04)
david    ftpd7710     1.2.3.4          Sun Nov 16 05:40 - 05:45  (00:05)
david    ftpd7634     1.2.3.4          Sun Nov 16 05:39 - 05:44  (00:04)
david    ftpd18673    92.48.201.31     Fri Nov  7 16:01 - 16:04  (00:02)

Consult with the user what IP’s they commonly connect with. In this example the IP 1.2.3.4 is known to be the users legitimate IP. 92.48.201.31 is the anomaly, and needs to be further investigated.

Step 2) Check /var/log/secure for access from the anomaly IP, 92.48.201.31. This is to identify how the account was accessed. A single login, with no failures would indicate that the attacker knew the users password in advance, indicating a compromised desktop. Multiple login failures would indicate that the attacker used a brute force attack to determine valid login credintials.

[root@server1 log]# grep 92.48.201.31 /var/log/secure*
secure.4:Oct 31 11:04:35 server1 proftpd[23203]: server1.example.com (92.48.201.31[92.48.201.31]) - USER hrmmv: Login successful.
secure.3:Nov  7 16:01:43 server1 proftpd[18673]: server1.example.com (92.48.201.31[92.48.201.31]) - USER hrmmv: Login successful.
secure:Nov 23 17:34:10 server1 proftpd[32383]: server1.example.com (92.48.201.31[92.48.201.31]) - USER hrmmv: Login successful.

This example indicates that the attacker logged in on 3 separate occasions, with no login failures, indicating that the login credentials were known in advance.

Step 3) Using whois, identify the location for the IP:

[sshinn@gamera incoming]$ whois 92.48.201.31
% Information related to '92.48.201.0 - 92.48.201.63'
inetnum:        92.48.201.0 - 92.48.201.63
netname:        NEWRACK-NL
descr:          NewRack.eu NL department
country:        NL
admin-c:        SVS148-RIPE
tech-c:           SVS148-RIPE
status:           ASSIGNED PA
mnt-by:           WEDARE-MNT
source:         RIPE # Filtered
person:         Sergey V. Smirnoff
address:        OOO "Ronetel"
address:        Lenina 129 o. 17
address:        Moscow
address:        Russia
phone:          +852 812 4838
fax-no:         +852 812 4838
abuse-mailbox:  abuse@newrack.eu
nic-hdl:        SVS148-RIPE
source:         RIPE # Filtered

Step 4) Check the xfer_logs for the domain, which are located in: /var/www/vhosts/DOMAIN/statistics/xferlog_regular and /var/www/vhosts/DOMAIN/statistics/xferlog_regular.processed.1.gz

[root@server1 logs]#  grep 92.48.201.31 /var/www/vhosts/DOMAIN/statistics/xferlog_regular
Thu Nov 27 02:43:39 2008 299 92.48.201.31 4658688 /var/www/vhosts/DOMAIN/httpdocs/index.php a _ o r david ftp 0 * c

Conclusion

Using the above examples, this would indicate that the IP of 92.48.201.31, in .eu IP space, logged into the account on Nov 23, Nov 7, and Oct 31. On Nov 23, they uploaded the file index.php, which contained the malware. There were no login failures, indicating the credentials were known in advance. This could indicate that the users desktop has been compromised.