FTP Hacking on the Rise

yahoi writes "The disco-era File Transfer Protocol (FTP) is making a comeback, but not in a good way — spammers are now using the old-school file transfer technology to serve up bot malware, and even as a backdoor into some enterprises that neglect to lock down their oft-forgotten FTP servers. Researchers at F-Secure have spotted a new wave of exploits that use FTP — rather than a malicious URL, or an email attachment — to deliver their malware payloads because few gateways scan for FTP attachments these days."

Uh oh

[B3ryllium]

Further proof that FTP is for chumps. :) scp to the rescue!

Big deal..

[Junta]

First off, since when is a 'URL' considered a transport mechanism rather than syntax for specifying a transport mechanism and location? Is ftp://whatever.example.com/badcode/ [example.com] not a URL because it's ftp now? That's a goofy statement.

And then, this isn't about ftp being hacked, just that bad software is being hosted using ftp as well as http (which I presume is what is meant by 'URL' or being emailed.

And, ftp is not merely an ancient, deprecated protocol. It's still widely used because it does what is intended for well and works under high load readily.

FTP attachments?

[Anonymous Coward]

because few gateways scan for FTP attachments these days.

Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

Can anybody translate this into something that makes sense?

FTP Attachment?

[flajann]

What the hell is a "FTP attachment"?
Doesn't make sense.

NEXT!

[Frosty Piss]

I'm sorry, but if when setting up server services the admin "forgets" to lock down FTP, they need to be canned. That is all. NEXT.

Re:Uh oh

[B3ryllium]

Disco-era? It was first implemented in 1995. That's the New Kids era, not the Disco era.

Re:F-Secure are FUDmeisters

[IBBoard]

And it's all in the final line of TFA:

Better make sure your gateway scanner is configured to scan FTP traffic as well. Our F-Secure Internet Gatekeeper does this by default.

"This wasn't done as a sales pitch, but buy our Gatekeeper software!"

So what's the major difference between an FTP hosted file and a HTTP hosted file for most people? Either way it downloads a file from a site that they can be convinced to run. Sounds all about the same to me.

Re:Big deal..

[PlusFiveTroll]

Yes because http is the best way to download a directory of uncompressed files all at once

Stuffing everything in a big compressed file sucks for dial up users, ftp has its purpose.

Re:Uh oh

[ivan256]

Some of us don't care to waste cycles encrypting data that doesn't need to be encrypted.

Re:Big deal..

[Mr. Sketch]

is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?

Well, since no version of Windows I know of comes with SSH/SCP/SFTP support out of the box, I think you have your reason right there. People don't want to have to download third party programs to do what they consider basic tasks, so providers fall back to protocols that have wide support (HTTP/FTP). Bittorrent seems to be an anomaly in this argument, but probably because it has more uses.

Re:Uh oh

[B3ryllium]

"Disco-era" is meant literally in the case of the original post, since its advent coincides with that of disco music.

And being one of the most widely used protocols doesn't mean it's not for chumps. It just means there are a lot of chumps.

Nothing wrong with ftp

[koffie]

except perhaps for the sloppy authentication in the clear and the awkward use of random ports initiated in the wrong direction (from server to client).

What is wrong is that there are ftp servers allowing anonymous write access. That is how those miscreants work: they put a malicious file up on an anonymous ftp server (that allows write access) and then craft ftp URLs to spam people with.

I remember we warned all ftp server administrators about the issue 10 or more years ago, back when I was a rookie.

Of course scp/sftp is way better, everyone knows that. Or not?

Re:FTP is BAD! About DAMN time THAT makes press

[Aceticon]

Well, when the username is "guest" and the password is "anyemail@example.com" it hardly needs encrypting.

PS: The typical way to anonymously access and FTP server is using the "guest" or "anonymous" usernames and any e-mail address as password. This is actually the way a browser will access an ftp:// [ftp] URL.

Re:Dear Internets

[nacturation]

Please explain how to upload pages to a shared webserver in co-lo using BitTorrent.

WebDAV over SSL doesn't require FTP.
 

Re:What's next?

[CronoCloud]

nobody has a client that can handle it anymore

Actually Lynx, Camino, Konqueror, Firefox, Mozilla/Seamonkey suite, and IE7 can all handle Gopher.