Saturday, 2 April 2011

Using FTP can get you Hacked! Learn from my experience, Use SFTP from now on…



Now you may ask, why this post? Because I faced it! My FTP Account was being hacked. I don’t know how but Hackers had somehow got access to my FTP account and they were using three of my Domains for BlackHat SEO and for Spreading other Malware. I was somehow saved that they did not use this Blog for any corrupt activities.
My Hosting Provider (i.e. DreamHost) contacted me after suspicious activity with my FTP account. They noticed that my FTP account was being used by about 130 IP addresses since the last 30 days from 17 countries. Of course, they didn’t expect me to travel 17 countries in a month so they mailed me that they are suspicious of some illegitimate activity through some of my domain names.
They asked me to change the Password of my account and shift to SFTP(port number 22) instead of FTP(port number 21). I hurriedly changed the password of my account and started using SFTP. Even though the Slow Speed is pissing me off, its better than being hacked!
On further investigations, I came to know that there was no evidence of a server side hack. FTP passwords were collected by the botnet via malware/virii installed on user computers. But I am currently using UBUNTU, so how come the botnet was installed on it? I am still puzzled, need to do some research over it now…
Now, How easy it is to hack FTP passwords? Its pretty easy!
FTP passwords are transferred unencrypted and so any person getting access to the transferred files (say, via a sniffer or any other man-in-the-middle attack) can retrieve your password easily. Contrary to this, SFTP transfers encrypted passwords so it is difficult for the hacker to retrieve your original password.
It also came to my notice that my FTP login was used by Russia/China based websites for Blackhat SEO and Malware distribution purposes by adding their hidden code into all web-pages of Three of my Domains. I immediately disabled those three domains from the control panel as I was not using those for my front-end websites.
The basic script that they inserted into my pages is located at http://kollinsoy.skyefenton.com:8080/Telnet.js I would not suggest you to visit this link without any Antivirus protection, even though Firefox is blocking it saying that “Malware was found” on this site!
I will write another post if I come to know some more details about such compromise. For the time being, it must be understood that SFTP is far more Secured that FTP!

No comments:

Post a Comment