Compromised System: FTP
Overview
A domain/domains have had malicious code appended to common index files on the system (index.php, index.html, etc). This is a common exploit method used to compromise CLIENTS connecting to the targetted system because of its status as a trusted host.
Indicators
Client anti-virus scanners detect malicious ActiveX, Flash, Javascript ext code when browsing the site.
Vector of Attack
The most common vector of attack used is to compromise a users FTP password, using the same means as above. It is very common in hosting environments. The attacker then logs in with legitimate credentials, downloads web files (index.html, index.php, etc) and then uploads them with malicious code appended.
Forensic Procedures
Step 1) Check last logs for the owner(s) of the effected domain, in this example the user is “david”:
[root@server1 ~]# last david david ftpd32001 1.2.3.4 Thu Nov 27 02:49 - 03:15 (00:25) david ftpd26860 1.2.3.4 Thu Nov 27 02:37 - 02:48 (00:11) david ftpd32383 92.48.201.31 Sun Nov 23 17:34 - 17:37 (00:03) david ftpd15631 1.2.3.4 Mon Nov 17 11:36 - 11:45 (00:08) david ftpd8814 1.2.3.4 Mon Nov 17 11:27 - 11:32 (00:04) david ftpd8277 1.2.3.4 Mon Nov 17 11:27 - 11:32 (00:05) david ftpd8018 1.2.3.4 Sun Nov 16 05:40 - 05:45 (00:04) david ftpd7710 1.2.3.4 Sun Nov 16 05:40 - 05:45 (00:05) david ftpd7634 1.2.3.4 Sun Nov 16 05:39 - 05:44 (00:04) david ftpd18673 92.48.201.31 Fri Nov 7 16:01 - 16:04 (00:02)
Consult with the user what IP’s they commonly connect with. In this example the IP 1.2.3.4 is known to be the users legitimate IP. 92.48.201.31 is the anomaly, and needs to be further investigated.
Step 2) Check /var/log/secure for access from the anomaly IP, 92.48.201.31. This is to identify how the account was accessed. A single login, with no failures would indicate that the attacker knew the users password in advance, indicating a compromised desktop. Multiple login failures would indicate that the attacker used a brute force attack to determine valid login credintials.
[root@server1 log]# grep 92.48.201.31 /var/log/secure* secure.4:Oct 31 11:04:35 server1 proftpd[23203]: server1.example.com (92.48.201.31[92.48.201.31]) - USER hrmmv: Login successful. secure.3:Nov 7 16:01:43 server1 proftpd[18673]: server1.example.com (92.48.201.31[92.48.201.31]) - USER hrmmv: Login successful. secure:Nov 23 17:34:10 server1 proftpd[32383]: server1.example.com (92.48.201.31[92.48.201.31]) - USER hrmmv: Login successful.
This example indicates that the attacker logged in on 3 separate occasions, with no login failures, indicating that the login credentials were known in advance.
Step 3) Using whois, identify the location for the IP:
[sshinn@gamera incoming]$ whois 92.48.201.31 % Information related to '92.48.201.0 - 92.48.201.63' inetnum: 92.48.201.0 - 92.48.201.63 netname: NEWRACK-NL descr: NewRack.eu NL department country: NL admin-c: SVS148-RIPE tech-c: SVS148-RIPE status: ASSIGNED PA mnt-by: WEDARE-MNT source: RIPE # Filtered person: Sergey V. Smirnoff address: OOO "Ronetel" address: Lenina 129 o. 17 address: Moscow address: Russia phone: +852 812 4838 fax-no: +852 812 4838 abuse-mailbox: abuse@newrack.eu nic-hdl: SVS148-RIPE source: RIPE # Filtered
Step 4) Check the xfer_logs for the domain, which are located in: /var/www/vhosts/DOMAIN/statistics/xferlog_regular and /var/www/vhosts/DOMAIN/statistics/xferlog_regular.processed.1.gz
[root@server1 logs]# grep 92.48.201.31 /var/www/vhosts/DOMAIN/statistics/xferlog_regular Thu Nov 27 02:43:39 2008 299 92.48.201.31 4658688 /var/www/vhosts/DOMAIN/httpdocs/index.php a _ o r david ftp 0 * c
Conclusion
Using the above examples, this would indicate that the IP of 92.48.201.31, in .eu IP space, logged into the account on Nov 23, Nov 7, and Oct 31. On Nov 23, they uploaded the file index.php, which contained the malware. There were no login failures, indicating the credentials were known in advance. This could indicate that the users desktop has been compromised.