SmartFTP hacking alert (possibly other software)
Posted: Tue Jun 10, 2008 12:57 pm
SmartFTP is a popular and good FTP client (I use Filezilla personally).
If you find anywhere on your site a file called tpchk3.php or ftpchk3.pl (pearl script), you have been hacked.
According to several messages on various forums, there is a version of the rootkit (virus) Bagle that is able to collect the login, PW, and URL used by SmartFTP. Then it sends this information by email to the hacker. Later, you'll find a file called ftpchk3.php at the root of the web site. This file has been uploaded by FTP! (Never from the same IP). It only contains <echo>
Later again, a bot will visit the site and send a http request. If there is an OK reply from the php file, then a new file ftpchk3.pl is uploaded, and ftpchk3.php is emptied (zero size).
The file attempts to connect to a SMTP (mail) server like this one
my $smtp = 'smtp.mail.ru';
- my $dns = '208.67.222.222';
(There are probably other ones)
Later again, hundreds of HTML files (backlinks) are uploaded to your site. These files are crawled by Googlebot. A data_.php file may also be there, used to send spam through your server.
Countermeasures:
- Make sure you have none of the files above in your site and no unknown HTML
- Change your FTP PW (or ask your admin to change it)
- Run decent anti-virus and anti-spyware and firewall.
- Check and possibly resintall your index.php files and such
Hope it helps!
If you find anywhere on your site a file called tpchk3.php or ftpchk3.pl (pearl script), you have been hacked.
According to several messages on various forums, there is a version of the rootkit (virus) Bagle that is able to collect the login, PW, and URL used by SmartFTP. Then it sends this information by email to the hacker. Later, you'll find a file called ftpchk3.php at the root of the web site. This file has been uploaded by FTP! (Never from the same IP). It only contains <echo>
Later again, a bot will visit the site and send a http request. If there is an OK reply from the php file, then a new file ftpchk3.pl is uploaded, and ftpchk3.php is emptied (zero size).
The file attempts to connect to a SMTP (mail) server like this one
my $smtp = 'smtp.mail.ru';
- my $dns = '208.67.222.222';
(There are probably other ones)
Later again, hundreds of HTML files (backlinks) are uploaded to your site. These files are crawled by Googlebot. A data_.php file may also be there, used to send spam through your server.
Countermeasures:
- Make sure you have none of the files above in your site and no unknown HTML
- Change your FTP PW (or ask your admin to change it)
- Run decent anti-virus and anti-spyware and firewall.
- Three totally free programs working very well:
- - AVG Free verion 8 http://free.grisoft.com/ww.download-avg ... ee-edition (anti virus, anti spyware, anti rootkit)
- ZoneAlarm Firewall (simple and very effective firewall) http://www.zonealarm.com/store/content/ ... ist_za.jsp
- Spybot Search and Destroy (heavy anti spyware program, performing up to 600 000 tests but not an anti-virus; version 1.6 -in beta- will be faster than 1.5 available at the time of writing) http://www.spybot.info/index2.html
- - AVG Free verion 8 http://free.grisoft.com/ww.download-avg ... ee-edition (anti virus, anti spyware, anti rootkit)
- Check and possibly resintall your index.php files and such
Hope it helps!