SmartFTP hacking alert (possibly other software)

Many AP members are knowledgeable about computers. Ask questions and share your knowledge here. (Information are supplied without any guarantee. Do not open any URL or file not posted by someone you know.) (All users can read)
Post Reply
User avatar
Chrisax
President
Posts: 23045
Joined: Wed Apr 19, 2006 1:08 pm

SmartFTP hacking alert (possibly other software)

Post by Chrisax »

SmartFTP is a popular and good FTP client (I use Filezilla personally).

If you find anywhere on your site a file called tpchk3.php or ftpchk3.pl (pearl script), you have been hacked.

According to several messages on various forums, there is a version of the rootkit (virus) Bagle that is able to collect the login, PW, and URL used by SmartFTP. Then it sends this information by email to the hacker. Later, you'll find a file called ftpchk3.php at the root of the web site. This file has been uploaded by FTP! (Never from the same IP). It only contains <echo>

Later again, a bot will visit the site and send a http request. If there is an OK reply from the php file, then a new file ftpchk3.pl is uploaded, and ftpchk3.php is emptied (zero size).

The file attempts to connect to a SMTP (mail) server like this one
my $smtp = 'smtp.mail.ru';
- my $dns = '208.67.222.222';
(There are probably other ones)

Later again, hundreds of HTML files (backlinks) are uploaded to your site. These files are crawled by Googlebot. A data_.php file may also be there, used to send spam through your server.

Countermeasures:
- Make sure you have none of the files above in your site and no unknown HTML
- Change your FTP PW (or ask your admin to change it)
- Run decent anti-virus and anti-spyware and firewall. - Delete all the pirate HTML files
- Check and possibly resintall your index.php files and such

Hope it helps!
User avatar
Hyde
Hyde!
Posts: 3477
Joined: Thu Apr 20, 2006 5:26 am

Post by Hyde »

I'm a big advocate of letting the old FTP protocol die. Its been one of the most hacked services in the history of the internet.

Its also completely replaceable by using SSH as a service with SFTP and/or SCP. Both SFTP and SCP use the SSH mechanisms for login and in general has far fewer exploit possibilities.

I know that people often don't have control over this on leased machines, just something to advocate while its being brought up. And in cases where you -need- anonymous FTP access you're probably stuck with FTP. But most of those cases can be handled by either a web service (for uploads) or a combination of SFTP/SCP uploads by registered users and HTTP for anonymous downloads.
Post Reply