FTP Hacking on the Rise

yahoi writes "The disco-era File Transfer Protocol (FTP) is making a comeback, but not in a good way — spammers are now using the old-school file transfer technology to serve up bot malware, and even as a backdoor into some enterprises that neglect to lock down their oft-forgotten FTP servers. Researchers at F-Secure have spotted a new wave of exploits that use FTP — rather than a malicious URL, or an email attachment — to deliver their malware payloads because few gateways scan for FTP attachments these days."

What's next?

[Anonymous Coward]

Gopher?

Re:What's next?

[gnick]

Gophers are actually not that hard to hack, although most of my experience is with prairie dogs. About 250 yards out with a decent scope and 'opening a port' is not that hard. Known exploit.

Re:

[PitaBred]

Every try opening a port with a .30-06? You don't have much left to hack...

Re:

[3p1ph4ny]

It depends on the architecture.

Re:What's next?

[ObsessiveMathsFreak]

WARNING: Attempting to hack Groundhogs may result in an infinite loop.

Re:

[Em Adespoton]

Nah; why use Gopher? It requires too much infrastructure and nobody has a client that can handle it anymore.... sort of like Archie.

I'd place my bets on something like WAIS or LDAP myself ;)

Re:

[CronoCloud]

nobody has a client that can handle it anymore

Actually Lynx, Camino, Konqueror, Firefox, Mozilla/Seamonkey suite, and IE7 can all handle Gopher.

Uh oh

[B3ryllium]

Further proof that FTP is for chumps. :) scp to the rescue!

Re:

[Brian Gordon]

SCP? Still disco-era. Try sftp, might as well since we tunnel every other service under the sun through ssh.

Re:Uh oh

[B3ryllium]

Disco-era? It was first implemented in 1995. That's the New Kids era, not the Disco era.

Re:Uh oh

[winkydink]

Agree. The disco era ended sometime in the late 70's / early 80's. Of course, that's before half of the /. posters were born, so it's understandable that they wouldn't know this.

Hey! You! Get off my lawn!

Re:Uh oh

[Anonymous Coward]

The disco era ended sometime in the late 70's / early 80's.

It didn't end, it just got too cool for you.

-- Disco Stu

Re:

[nschubach]

Disco is NOT dead. Disco is LIFE!

Re:

[winkydink]

Nice leisure suit, Larry.

Re:

[Anonymous Coward]

Disco-era? It was first implemented in 1995.

Then why were people writing about it in 1971?
http://tools.ietf.org/html/rfc114 [ietf.org]

Re:Uh oh

[fizzup]

I think you may have misunderstood. RFC 114 refers to FTP, which is from the 70s. The poster was talking about scp, which is certainly from the mid-90s.

Now, whether 1971 counts as disco-era is another question. I would say that it is pre-disco, since every school child knows that the disco era started with Soul Makossa [wikipedia.org] in 1973.

Pay more attention...

[timbck2]

GP was talking about scp being implemented in 1995, not FTP.

Re:

[B3ryllium]

Fair enough. :)

Re:

[B3ryllium]

OP said that FTP was for chumps, and that SCP was the new shizzle. GP said that SCP was just as disco-era as FTP. Parent countered that SCP was implemented in 1995, indicating that FTP is literally disco-era.

Re:

[Chysn]

> OP said that FTP was for chumps, and that SCP was the new shizzle. GP said that SCP was just as disco-era as FTP. Parent countered that SCP was
> implemented in 1995, indicating that FTP is literally disco-era.

Thanks for the recap. If a bunch of geeks can't reach consensus on which technologies correspond to which musical trends, I'm just gonna go back to X-MODEM.

Re:

[B3ryllium]

XModem is for chumps. ZModem for the win!

Re:

[B3ryllium]

Yes, you're correct, except for the fact that the GP had called SCP "disco-era", in apparent disregard for the context of that phrase's usage. I was merely correcting the timeframe of SCP's inception.

Re:

[B3ryllium]

Why does everyone on Slashdot seem to lack reading comprehension today? The GP accused SCP of being "still disco-era", so I corrected him.

Re:Uh oh

[HTH NE1]

Hmm, scp has built-in support for transfering an entire directory with one command natively, but sftp can be used to transfer files between two servers while being controlled from a third site such that the transfer doesn't pass through the controlling client (useful for maintaining from a dial-up connection two high-speed servers that don't grant shell access).

Decisions, decisions.

Re:

[Brian Gordon]

SFTP is the more fully-featured protocol, says so right on wikipedia.

Re:

[blincoln]

SCP also doesn't allow things like directory listings. While that may be advantageous in some situations, it rules it out as a full FTP replacement. SFTP and FTP-over-SSL are the two main public protocols I'm aware of that allow that kind of thing.

Re:

[C0vardeAn0nim0]

SCP is new stuff, tunneled over ssh. i think you mean RCP, dontcha ? the old school non-encrypted stuff that could be configured to work without password using .rhosts on the destination host.

that's why we disable it in all unix boxes here at work.

Re:

[Brian Gordon]

No, SFTP is newer and more fully-featured than SCP. From wikipedia:

For most applications, the SCP protocol is superseded by the more comprehensive SFTP protocol, which is also based on SSH.

Re:

[Critical Facilities]

Yeah, cause no one [networkworld.com] uses [gatech.edu] FTP [leo.org] anymore [redhat.com], right [slackware.com]?

Re:

[B3ryllium]

I dunno about you, but I downloaded my last two distro ISOs (Knoppix and Ubuntu) using BitTorrent ... :)

Re:

[Critical Facilities]

Absolutely I did, but I'm just saying it's not like FTP is obscure.

Re:

[Critical Facilities]

Whoops, that first "no one" [yggdrasil.com] was supposed to have that link.

Re:Uh oh

[ivan256]

Some of us don't care to waste cycles encrypting data that doesn't need to be encrypted.

Re:Uh oh

[B3ryllium]

... you probably recycle your waste electrons, too, don't you?

Re:

[gnick]

What do you suggest I do when my bit-bucket fills up?

Re:

[cHiphead]

More than that, this is not news at ALL. All of the malware has been using FTP for years, its the 'other' distribution methods that seem to be showing up a little more often, but FTP traffic is a lot less suspicious on very large LAN.

Cheers.

Re:

[realmolo]

Oh, please. "Wasting cycles"? You might as well encrypt ALL your data that travels over the Internet. It's free. It's easy. And, let's be honest, SCP is simpler to deal with than FTP in almost every way. The only catch is that Windows users will need to download an SCP client like WinSCP. Which, incidentally, does FTP, too.

And I don't want to hear the "but everyone already has an FTP client". Well, yeah, technically. But on Windows, you have either command-line FTP, which is too hard to use for most people,

Re:

[HTH NE1]

Dude, don't you know that it's Slashdot-hip to be ultra-paranoid about absolutely everything? Picking and choosing your encryption needs based upon, gasp, practicality and with an eye toward efficient use of your technological resources isn't going to win you any points around this place.

I don't say any more until the CSM-25 counter measure filter is activated.

Re:

[ajs]

Disco-era? FTP?! Hmmm... last I checked, FTP was one of the world's most widely used file transfer protocols.

• ftp://ftp.netscape.com/pub/netscape9/en-US/9.0/unix/linux/netscape-navigator-9.0.0.6.tar.gz [netscape.com]
• ftp://ftp.gnome.org/pub/GNOME/desktop/2.20/2.20.3/ [gnome.org]
• ftp://releases.mozilla.org/pub/mozilla.org/ [mozilla.org]

... and so on.

Re:

[B3ryllium]

"Disco-era" is meant literally in the case of the original post, since its advent coincides with that of disco music.

And being one of the most widely used protocols doesn't mean it's not for chumps. It just means there are a lot of chumps.

Re:

[Otto]

All the FTP usage is probably under a couple of percent. Torrents surpassed 50% of the total internet traffic some time ago.

Nothing wrong with ftp

[koffie]

except perhaps for the sloppy authentication in the clear and the awkward use of random ports initiated in the wrong direction (from server to client).

What is wrong is that there are ftp servers allowing anonymous write access. That is how those miscreants work: they put a malicious file up on an anonymous ftp server (that allows write access) and then craft ftp URLs to spam people with.

I remember we warned all ftp server administrators about the issue 10 or more years ago, back when I was a rookie.

Of course scp/sftp is way better, everyone knows that. Or not?

Re:

[Blackknight]

The problem is a lot of programs do not support sftp and accounts that have shell access turned off are SOL any way since ssh needs a shell to work. While there are solutions like jailing users and restricted ssh they're a pain to set up and you still need the application support any way.

Big deal..

[Junta]

First off, since when is a 'URL' considered a transport mechanism rather than syntax for specifying a transport mechanism and location? Is ftp://whatever.example.com/badcode/ [example.com] not a URL because it's ftp now? That's a goofy statement.

And then, this isn't about ftp being hacked, just that bad software is being hosted using ftp as well as http (which I presume is what is meant by 'URL' or being emailed.

And, ftp is not merely an ancient, deprecated protocol. It's still widely used because it does what is intended for well and works under high load readily.

Re:

[Ed Avis]

It's true that ftp works reliably under high load. Then again, so does http. If you just want to serve some files to an anonymous public, I can't see much reason to not just put them in a directory and let Apache serve them - or some faster web server if you really have such a fast network link that Apache can't saturate it.

For authenticated file transfers, is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?

Re:

[Firehed]

Depends on the sensitivity of what's being transported. With both protocols, all you need (from a user perspective anyways) is a good login and password. But if someone is eavesdropping on the connection, you really don't want your DB connection credentials or latest internal builds going over a plaintext line.

Re:

[PlusFiveTroll]

Yes because http is the best way to download a directory of uncompressed files all at once

Stuffing everything in a big compressed file sucks for dial up users, ftp has its purpose.

Re:

[TheThiefMaster]

Ok, so the only real advantage ftp has over http is the ability to "list" files in a machine-understandable way to allow mass-downloads?

I can't think of anything else.

The only other "feature" that I know of is that the protocol supports one client requesting a file transfer for a different client, but is that ever used?

Re:Big deal..

[garett_spencley]

"For authenticated file transfers, is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?"

Unfortunately there's a lot of software that simply does not support ssh/scp/sftp and will only work with FTP. Joomla is an example of a CMS that uses FTP to update template files and such that the web server can not write to. In this case you create an FTP server that listens on 127.0.0.1:21 and the PHP script, run under the web server user, FTPs to the host and logs in under a different user to upload the changes.

I've also got some business software that I run on my local machine that FTPs to my web server to upload new files. I really wish it would support ssh but it doesn't.

Maybe ssh tunnels are the way to go for such situations ? Either way FTP is still used for such circumstances. These programmers really need to get with the times.

Re:

[cromar]

Couldn't you use SSH tunneling [oreillynet.com]?

Re:

[ajs318]

You could {and BTW, there are actually two L's in "tunnelling"} but it wouldn't solve the problem here. The problem here is that people are using FTP to upload material {such as phishing site backends} to servers. The solution is actually to disable mod_userdir in Apache -- because then the phishing site can't be downloaded by recipients of the phishing e-mails.

Re:

[ajs318]

Look, I can forgive the Pilgrim Fathers not taking a copy of the Oxford English Dictionary on the Mayflower -- they probably had more important things to think about at the time. I can even forgive them naming the place they landed (Plymouth, Massachusetts) after the place they set off from (Plymouth, Devon). However, you've since had the better part of 400 years (and two Industrial Revolutions) in which either to learn to spell our language properly or to invent your own language. What's your sorry

Re:

[jafiwam]

Another big player (Microsoft) has been really slow on this too.

Just about the only secure protocol that's easy and already ready to use with Windows server 2k3 is HTTPS. And it's a pain in the rear to do do self signed certificates with it.

No support for SFTP, SSH, SCP or anything else without third party apps.

I have been told but not seen that the new server OS supports SFTP. But, when Win2k3 came out, it was a really really stupid move not to include SFTP.

Re:Big deal..

[Mr. Sketch]

is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?

Well, since no version of Windows I know of comes with SSH/SCP/SFTP support out of the box, I think you have your reason right there. People don't want to have to download third party programs to do what they consider basic tasks, so providers fall back to protocols that have wide support (HTTP/FTP). Bittorrent seems to be an anomaly in this argument, but probably because it has more uses.

Re:

[damn_registrars]

stealing the food from the mouths of poor SSH client developers, naughty naughty

I don't know about you, but I don't know anyone who is making money as an SSH developer. It comes (at least partially) from the OpenBSD [openbsd.org] project, which is non-profit. And many of the ssh clients and servers that are out there for windows (putty and cygwin, to name one for each) are free anyways.

So I'm not sure that there is really any food to steal. These guys make their money elsewhere, from what I can tell.

Hence, I think we need to look elsewhere for the reason why Microsoft doesn't include eve

Re:

[Mr. Sketch]

You mean people pay for an SSH client? I have only used free clients, namely PuTTY [greenend.org.uk] and WinSCP [winscp.net] for SSH/SFTP access on Windows and they seem to work just fine and I've never had a reason to seek out an alternate version.

Re:

[Hatta]

I trust the security of vsftpd more than I do apache.

Re:

[faxafloi]

For authenticated file transfers, is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?

Depends on how they're authenticated. If your customer has a shell account on your machine, you're right. But some ftp servers that authenticate against, say, ldap or a database. Keeps your customers out of /etc/passwd.

You could certainly do this for a few files with http. But when there are ~2000 files totaling ~100 GB, and the customer is of the old school who probably doesn't know (or care)

Re:

[Obfuscant]

Well configured ftp servers don't allow download of files that have been uploaded. Mine doesn't even allow you to 'ls' the upload directory. It's a black hole.

And the newest exploit...

[downix]

They have conquered WWW and Email, now FTP, next on their list... NTP! Yes, hacking through your clock, I can see it now! Malware which will make you either cronically early, or late!

Re:And the newest exploit...

[Frozen Void]

google "NTP exploit"

Re:

[Idiomatick]

Oddly enough this post showed up as 4th on google right after your post. Time loop?

ntpd-exp.c

[commodoresloat]

Check it out [osdir.com]. That, my friends, is a real Clock Gobbler.

Re:

[sm62704]

They have conquered WWW and Email, now FTP, next on their list... NTP! Yes, hacking through your clock, I can see it now! Malware which will make you either cronically early, or late!

They alrteady did! [slashdot.org]

Re:

[Otter]

NTP! Yes, hacking through your clock, I can see it now! Malware which will make you either cronically early, or late!

I'm not sure if that's a typo or a pun...

Incidentally, while TFA is interesting, the summary here is a mix of inaccurate and incoherent.

Re:And the newest exploit...

[skeeto]

Actually, the OpenBSD guys believed the original NTP implementation to be a security risk and thus created their own: see Using OpenNTPD [openbsd.org] and this post [advogato.org] by the OpenNTPD maintainer.

Different protocol, but same stupidity

[DigitalSorceress]

Well, for my money, anyone who blindly clicks on a link.... FTP or HTTP and runs an executable that comes from it is going to get infected regardless of what protocol was used for it.

The fact that a lot of gateways prevent certain actions based on the protocol just makes the "any key" users blindly click on stuff without worry - after all, they've "got protection"

When it comes to any infection vector that involves social engineering, your brain (should you choose to use it) is your best virus protection.

FTP attachments?

[Anonymous Coward]

because few gateways scan for FTP attachments these days.

Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

Can anybody translate this into something that makes sense?

Re:

[phaunt]

because few gateways scan for FTP attachments these days.

Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

Can anybody translate this into something that makes sense?

I believe the writer of the summary has mixed up two things:

• Gateways don't bother with FTP traffic
• Instead of malicious attachments, e-mails include links to ftp servers.

Re:

[DigitalSorceress]

Yeah, I think they're probably talking about firewalls / anti-spam appliances. I used the term "gateways" myself in another reply, but I was thinking of firewalls...

I blame it on a severe caffeine deficiency which I shall now remedy.

Re:

[plague3106]

Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

Can anybody translate this into something that makes sense?

Yes, virus checkers can check the HTTP stream and abort the download if they find something. I think Norton was doing this in early 2001, I don't know if they still are.

Re:

[WK2]

Can anybody translate this into something that makes sense?

OK. Via spam, F-Secure found a malware web page with an ftp link. They think this is going to be a trend. Some businesses proxy http connections, and scan downloads for viruses. They believe that malware authors will shift away from http to ftp because there is a less likely chance that downloads will be scanned.

I don't see this happening. It is speculation, and I think malware authors will just use whatever servers they have access to, or whatever they know how to set up. Few organizations scan http or

Re:

[Sylver Dragon]

I think one of the other important points the article makes is that the hacked FTP servers aren't just random FTP server nor are they just small shops running Windows SBS with the Next-Next-Next install and no one monitoring them. The FTP servers were from large companies whom users might trust.

As has been said by someone above, blindly trusting links you get in emails, and then running the linked executable, either requires an amazing amount of ignorance these days, or a special kind of stupid. Yet, som

Re:

[hackstraw]

becoose-a foo getooeys scun fur FTP ettechments zeese-a deys.

Um gesh dee bork, bork! Ir, thet's becoose-a zeere's nu sooch theeng es un FTP ettechment? Iff yuoo ere-a refferreeng tu leenks, zeen I'm nut evere-a ooff uny furoos checkers thet ootumeteecelly doonlued und check HTTP leenks ieezeer. Hurty flurty schnipp schnipp!

Cun unybudy trunslete-a thees intu sumetheeng thet mekes sense-a?

Re:

[Crudely_Indecent]

something that makes sense

This is a phenomenon I like to call "talking out of the side of your neck" which is a method of communication where the words that one speaks do not pass the brain prior to arriving at the vocal cords. Essentially, the words take a detour at the neck to avoid the mean and logical brain.

Most likely, this was penned by a copy writer who assumed that email has attachments, why not FTP? Who really cares what l33t haxxors call files through FTP. I call it so 70's....SFTP anyone? Chroot jail anyone?

FTP Attachment?

[flajann]

What the hell is a "FTP attachment"?
Doesn't make sense.

Re:

[Ferzerp]

Every get the feeling that the summary was written by someone who doesn't quite grasp all the relevant details of the topic?

After that atrocious summary, I couldn't be bothered with RTFA

Re:

[idontgno]

Every get the feeling that the summary was written by someone who doesn't quite grasp all the relevant details of the topic?

You mean, edited by a typical /. editor? Yeah, it felt just like that.

Re:

[Blue Stone]

>What the hell is a "FTP attachment"?

Doesn't make sense.

I've only skimmed the summary, but from what I can tell it's something bad that you can get from the tubes like a malicious 'IM file' or a dodgy 'virus bug' that you might get from a pirated CD or something.

Dear Internets

[phoxix]

Lets kill FTP once and for all! It doesn't serve a purpose anymoar! Its been replaced with HTTP, Rsync, and BT!

k thx bye!

Re:

[Anne Thwacks]

Not to mention NYC!

Re:

[nacturation]

Please explain how to upload pages to a shared webserver in co-lo using BitTorrent.

WebDAV over SSL doesn't require FTP.
 

F-Secure are FUDmeisters

[Werrismys]

Just ignore them. It's good business for them to constantly cry "wolf".

Re:F-Secure are FUDmeisters

[IBBoard]

And it's all in the final line of TFA:

Better make sure your gateway scanner is configured to scan FTP traffic as well. Our F-Secure Internet Gatekeeper does this by default.

"This wasn't done as a sales pitch, but buy our Gatekeeper software!"

So what's the major difference between an FTP hosted file and a HTTP hosted file for most people? Either way it downloads a file from a site that they can be convinced to run. Sounds all about the same to me.

Re:

[PlusFiveTroll]

>Sounds all about the same to me.

Yes, and this is where people fail and security problems come from. FTP is not HTTP. It is a different protocol. Your webbrowser uses a different mechanism to transfer files with it, and it goes over different ports on the internet. Your anti-virus/anti-spyware/firewall doesn't auto-magically block this stuff, it must be programmed to do so. If the programmer didn't think of a mechanism that files could get by the firewall for example, then a virus could get on the netwo

Re:

[IBBoard]

That's a corporate vs home situation, though, where you're blocking at the boundaries rather than relying on standard AV where the source of the file should make no difference - it's a browser download so it should get checked.

FTP is a file download from a remote machine via an Internet connection. HTTP is a file download from a remote machine via an Internet connection. Both of them leave a file on your machine that you can then execute. I'd expect any normal firewall to check any files that a browser down

NEXT!

[Frosty Piss]

I'm sorry, but if when setting up server services the admin "forgets" to lock down FTP, they need to be canned. That is all. NEXT.

FTP through email

[whitehatlurker]

This has come full circle - back before internet connectivity was so wide spread, there were a few ftp via email gateways. (Yes, there were other networks alongside the internet.) You'd send your ftp commands and get email back (a few days later or the next week) with the uuencoded result.

Now you have email viruses delivered via FTP. Cool.

Yeah I'm old - get off my lawn!

Re:

[pak9rabid]

Yeah I'm old - get off my lawn!

Hmm, it is true old people are often concerned that there are children on their lawns.

HTTP through email

[BenEnglishAtHome]

Are there any HTTP to email servers left out there? You sent an email to an address with the URL as the subject; the server on the other end fetched the web page and mailed you a copy.

I occasionally have use for such a thing but the last server I used for this (maintained at a Japanese university, iirc) shut down years ago.

3rd Party Services

[boris111]

Speaking of FTP I was appalled the other day when my girlfriend told me their small company is paying $100 a month for a service [ftptoday.com] to use FTP for their clients. This service has a space limit of 300 MB!!! With GMAIL and Yahoo email offering unlimited storage this seems unbelievably small.

FTP is BAD! About DAMN time THAT makes press

[spitek]

Clear TXT PASSWD = BAD Might as well bend over. I've made my hosting customers use SFTP/SCP for YEARS. Been very happy I have. Just like POP3 one day.. IF we are lucky people will stop using it. It's like sending your tax return to the IRS in a clear envelope with your name birth date and SS # showing. Just plan STUPID!

Re:

[Aceticon]

Well, when the username is "guest" and the password is "anyemail@example.com" it hardly needs encrypting.

PS: The typical way to anonymously access and FTP server is using the "guest" or "anonymous" usernames and any e-mail address as password. This is actually the way a browser will access an ftp:// [ftp] URL.

Re:

[courtarro]

What part of an anonymous, read-only FTP login needs to be encrypted? There are still plenty of good uses for FTP that don't need the security of encryption.

What the article infers...

[johnlcallaway]

It sounds like that 'trusted' sites have been hacked, and that nefarious forces may place files on those trusted sites, then send emails that look authentic. That is, the email looks like it is from a responsible site and has an FTP URL for that site, but the file on the trusted site contains malware of some type.

I have gotten fake hallmark cards in the past, and only because the URLs were obviously not hallmark did I check the headers. Transform this into a malware that installs a back door, grabs your address book, then sends the address book full of trusted names back to the originator. Now you have an email from a trusted source that has URLs to a trusted site to help spread it.

Maybe I shouldn't have typed all that out.....

Re:

[johnlcallaway]

Maybe we aren't reading the same article. The one I read said this:

Last month, researchers at Finjan stumbled onto a cache of stolen FTP server administrative credentials that put nearly 9,000 FTP servers at some major global companies at risk, demonstrating just how widespread the old-school FTP remains at many organizations. Cybercriminals were selling a new crimeware package that would automatically infect those servers, some of which were from the world's top 100 domains.

So ... that link grandma just

"Now"?

[rrohbeck]

Rooted ftp sites have been used for warez and malware since the beginning of time, and the F-Secure folks discover this *now*?
Pretty lame.

Got hit by it

[ajs318]

My company got hit by this. Basically, someone found a username / password combination on a web server and FTP'ed up a phishing website. This user didn't have a valid login shell {it was set to /bin/false} but that didn't matter here because they didn't need to run shell commands {and in any case, if they needed to, they had a perfectly good cgi-bin directory they could use}.

Obviously you have to have FTP and web servers on the same machine, otherwise your hosting customers can't upload their pages. To limit the potential damage, disable mod_userdir -- all your users should already have their own domain names anyway. And if you have any "email only" users {usually, these will be secondary mailbox accounts, i.e. when you have things like fred@freds-shed.org.uk going into one mailbox and charlie@freds-shed.org.uk going into another} whose only way of accessing files is by POP3 or IMAP, use a different shell for them. {I recommend /bin/true for FTP-enabled users without shell access -- this needs to be mentioned in /etc/shells, of course, for FTP access to work -- and /bin/false for non-FTP users. This should not be in /etc/shells.}

If you have users who want to use scp or fish to upload stuff, they'll have to have a Bourne-like shell such as /bin/bash or /bin/ash. In which case, as a bare minimum you should disable password-based logins. There are better solutions involving chroot and per-user bin folders.

I'm a victim

[TheGreatOrangePeel]

I fell victim to an FTP security issue in January of last year. The hosting provider for my website allows for anonymous FTP by default and an organization of hackers was able to use this to upload files which somehow enabled them to edit content on my Drupal powered website (I've seen Wordpress sites fall victim to the same hack). All they did was a meta-redirect, but I had about a week of downtime as I restored from dated backups and got technical questions answered on the Drupal.org forums.

As it turns ou

Re:

[jo42]

You mean "pasv" then "bin".