FTP Hacking on the Rise

yahoi writes "The disco-era File Transfer Protocol (FTP) is making a comeback, but not in a good way — spammers are now using the old-school file transfer technology to serve up bot malware, and even as a backdoor into some enterprises that neglect to lock down their oft-forgotten FTP servers. Researchers at F-Secure have spotted a new wave of exploits that use FTP — rather than a malicious URL, or an email attachment — to deliver their malware payloads because few gateways scan for FTP attachments these days."

Different protocol, but same stupidity

[DigitalSorceress]

Well, for my money, anyone who blindly clicks on a link.... FTP or HTTP and runs an executable that comes from it is going to get infected regardless of what protocol was used for it.

The fact that a lot of gateways prevent certain actions based on the protocol just makes the "any key" users blindly click on stuff without worry - after all, they've "got protection"

When it comes to any infection vector that involves social engineering, your brain (should you choose to use it) is your best virus protection.

Re:Uh oh

[Brian Gordon]

SCP? Still disco-era. Try sftp, might as well since we tunnel every other service under the sun through ssh.

Re:And the newest exploit...

[Frozen Void]

google "NTP exploit"

Re:FTP attachments?

[phaunt]

because few gateways scan for FTP attachments these days.

Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

Can anybody translate this into something that makes sense?

I believe the writer of the summary has mixed up two things:

• Gateways don't bother with FTP traffic
• Instead of malicious attachments, e-mails include links to ftp servers.

F-Secure are FUDmeisters

[Werrismys]

Just ignore them. It's good business for them to constantly cry "wolf".

Re:Big deal..

[garett_spencley]

"For authenticated file transfers, is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?"

Unfortunately there's a lot of software that simply does not support ssh/scp/sftp and will only work with FTP. Joomla is an example of a CMS that uses FTP to update template files and such that the web server can not write to. In this case you create an FTP server that listens on 127.0.0.1:21 and the PHP script, run under the web server user, FTPs to the host and logs in under a different user to upload the changes.

I've also got some business software that I run on my local machine that FTPs to my web server to upload new files. I really wish it would support ssh but it doesn't.

Maybe ssh tunnels are the way to go for such situations ? Either way FTP is still used for such circumstances. These programmers really need to get with the times.

FTP is BAD! About DAMN time THAT makes press

[spitek]

Clear TXT PASSWD = BAD Might as well bend over. I've made my hosting customers use SFTP/SCP for YEARS. Been very happy I have. Just like POP3 one day.. IF we are lucky people will stop using it. It's like sending your tax return to the IRS in a clear envelope with your name birth date and SS # showing. Just plan STUPID!

Re:Uh oh

[Anonymous Coward]

Disco-era? It was first implemented in 1995.

Then why were people writing about it in 1971?
http://tools.ietf.org/html/rfc114 [ietf.org]

Re:Big deal..

[Hatta]

I trust the security of vsftpd more than I do apache.

Re:Uh oh

[fizzup]

I think you may have misunderstood. RFC 114 refers to FTP, which is from the 70s. The poster was talking about scp, which is certainly from the mid-90s.

Now, whether 1971 counts as disco-era is another question. I would say that it is pre-disco, since every school child knows that the disco era started with Soul Makossa [wikipedia.org] in 1973.

Re:And the newest exploit...

[skeeto]

Actually, the OpenBSD guys believed the original NTP implementation to be a security risk and thus created their own: see Using OpenNTPD [openbsd.org] and this post [advogato.org] by the OpenNTPD maintainer.

Re:Uh oh

[HTH NE1]

Hmm, scp has built-in support for transfering an entire directory with one command natively, but sftp can be used to transfer files between two servers while being controlled from a third site such that the transfer doesn't pass through the controlling client (useful for maintaining from a dial-up connection two high-speed servers that don't grant shell access).

Decisions, decisions.

Got hit by it

[ajs318]

My company got hit by this. Basically, someone found a username / password combination on a web server and FTP'ed up a phishing website. This user didn't have a valid login shell {it was set to /bin/false} but that didn't matter here because they didn't need to run shell commands {and in any case, if they needed to, they had a perfectly good cgi-bin directory they could use}.

Obviously you have to have FTP and web servers on the same machine, otherwise your hosting customers can't upload their pages. To limit the potential damage, disable mod_userdir -- all your users should already have their own domain names anyway. And if you have any "email only" users {usually, these will be secondary mailbox accounts, i.e. when you have things like fred@freds-shed.org.uk going into one mailbox and charlie@freds-shed.org.uk going into another} whose only way of accessing files is by POP3 or IMAP, use a different shell for them. {I recommend /bin/true for FTP-enabled users without shell access -- this needs to be mentioned in /etc/shells, of course, for FTP access to work -- and /bin/false for non-FTP users. This should not be in /etc/shells.}

If you have users who want to use scp or fish to upload stuff, they'll have to have a Bourne-like shell such as /bin/bash or /bin/ash. In which case, as a bare minimum you should disable password-based logins. There are better solutions involving chroot and per-user bin folders.

ntpd-exp.c

[commodoresloat]

Check it out [osdir.com]. That, my friends, is a real Clock Gobbler.

Re:Uh oh

[B3ryllium]

Yes, you're correct, except for the fact that the GP had called SCP "disco-era", in apparent disregard for the context of that phrase's usage. I was merely correcting the timeframe of SCP's inception.

Pay more attention...

[timbck2]

GP was talking about scp being implemented in 1995, not FTP.