Compromised System: FTP¶
A domain/domains have had malicious code appended to common index files on the system (index.php, index.html, etc). This is a common exploit method used to compromise CLIENTS connecting to the targetted system because of its status as a trusted host.
Vector of Attack¶
The most common vector of attack used is to compromise a users FTP password, using the same means as above. It is very common in hosting environments. The attacker then logs in with legitimate credentials, downloads web files (index.html, index.php, etc) and then uploads them with malicious code appended.
Step 1) Check last logs for the owner(s) of the effected domain, in this example the user is “david”:
[root@server1 ~]# last david david ftpd32001 188.8.131.52 Thu Nov 27 02:49 - 03:15 (00:25) david ftpd26860 184.108.40.206 Thu Nov 27 02:37 - 02:48 (00:11) david ftpd32383 220.127.116.11 Sun Nov 23 17:34 - 17:37 (00:03) david ftpd15631 18.104.22.168 Mon Nov 17 11:36 - 11:45 (00:08) david ftpd8814 22.214.171.124 Mon Nov 17 11:27 - 11:32 (00:04) david ftpd8277 126.96.36.199 Mon Nov 17 11:27 - 11:32 (00:05) david ftpd8018 188.8.131.52 Sun Nov 16 05:40 - 05:45 (00:04) david ftpd7710 184.108.40.206 Sun Nov 16 05:40 - 05:45 (00:05) david ftpd7634 220.127.116.11 Sun Nov 16 05:39 - 05:44 (00:04) david ftpd18673 18.104.22.168 Fri Nov 7 16:01 - 16:04 (00:02)
Consult with the user what IP’s they commonly connect with. In this example the IP 22.214.171.124 is known to be the users legitimate IP. 126.96.36.199 is the anomaly, and needs to be further investigated.
Step 2) Check /var/log/secure for access from the anomaly IP, 188.8.131.52. This is to identify how the account was accessed. A single login, with no failures would indicate that the attacker knew the users password in advance, indicating a compromised desktop. Multiple login failures would indicate that the attacker used a brute force attack to determine valid login credintials.
[root@server1 log]# grep 184.108.40.206 /var/log/secure* secure.4:Oct 31 11:04:35 server1 proftpd: server1.example.com (220.127.116.11[18.104.22.168]) - USER hrmmv: Login successful. secure.3:Nov 7 16:01:43 server1 proftpd: server1.example.com (22.214.171.124[126.96.36.199]) - USER hrmmv: Login successful. secure:Nov 23 17:34:10 server1 proftpd: server1.example.com (188.8.131.52[184.108.40.206]) - USER hrmmv: Login successful.
This example indicates that the attacker logged in on 3 separate occasions, with no login failures, indicating that the login credentials were known in advance.
Step 3) Using whois, identify the location for the IP:
[sshinn@gamera incoming]$ whois 220.127.116.11 % Information related to '18.104.22.168 - 22.214.171.124' inetnum: 126.96.36.199 - 188.8.131.52 netname: NEWRACK-NL descr: NewRack.eu NL department country: NL admin-c: SVS148-RIPE tech-c: SVS148-RIPE status: ASSIGNED PA mnt-by: WEDARE-MNT source: RIPE # Filtered person: Sergey V. Smirnoff address: OOO "Ronetel" address: Lenina 129 o. 17 address: Moscow address: Russia phone: +852 812 4838 fax-no: +852 812 4838 abuse-mailbox: email@example.com nic-hdl: SVS148-RIPE source: RIPE # Filtered
Step 4) Check the xfer_logs for the domain, which are located in: /var/www/vhosts/DOMAIN/statistics/xferlog_regular and /var/www/vhosts/DOMAIN/statistics/xferlog_regular.processed.1.gz
[root@server1 logs]# grep 184.108.40.206 /var/www/vhosts/DOMAIN/statistics/xferlog_regular Thu Nov 27 02:43:39 2008 299 220.127.116.11 4658688 /var/www/vhosts/DOMAIN/httpdocs/index.php a _ o r david ftp 0 * c
Using the above examples, this would indicate that the IP of 18.104.22.168, in .eu IP space, logged into the account on Nov 23, Nov 7, and Oct 31. On Nov 23, they uploaded the file index.php, which contained the malware. There were no login failures, indicating the credentials were known in advance. This could indicate that the users desktop has been compromised.