Hackers compromised thousands of FTP sites to plant their malware or to attempt to compromise connected web services. This week Hold Security’s Deep Web Monitoring Service obtained evidence of hackers abusing FTP sites of companies of all sizes across the globe. Hackers planted PHP scripts armed with backdoors (shells) and viruses in multiple directories hoping that these directories map to web servers of the victim companies to gain control of the web services. They also uploaded HTML files with seamless re-directs to malicious sites.
The victim companies hosting exploited FTP sites are spread across the spectrum – from small companies and individual accounts with ISPs to major multi-national corporations. IDG’s journalist Jeremy Kirk has an in-depth story. The victimized FTP sites can be used to lure unsuspecting Internet surfers and direct them to sites peddling financial schemes, pornography, or prescription medications among other exploits.
How did the hackers gain access to the FTP sites? In several ways – some sites have anonymous, default, or publicized credentials for public or semi-private access. This data along with stolen credentials, possibly through botnets, have been used to ascertain unauthorized access and attempt exploitation.
We urge companies to re-examine their FTP implementations to minimize possible credential abuse, malware uploads, and possible interconnectivity to other services, especially Web. At the same time, end-users should be more vigilant about the embedded links they follow even to legitimate sites.