Blog

An FTP Hacking Attack

July 18, 2007

Another client of ours suffered a minor hacking attack, and I thought I’d take a moment to let you know how we think it was done, so you might be able to avoid it yourself.

Susie was editing a client’s site recently (for the purposes of this attack, it doesn’t matter which one) and noticed that in the content management system, ExpressionEngine, there had been a number of nearly invisible links added to many of the templates, including the footer.

What was added, was a one pixel image, that linked from the client’s site to a site that offered recipes—chicken recipes, to be exact.  That site had zillions of Google ads, and not much in the way of content.  The site was owned by someone in Romania with a Gmail address.  It was essentially a site whose sole purpose was to gather searchers looking for recipes, which are a commonly searched item online, and turn those searches into cash.

In addition to the template changes, there was also a small graphic added to the client’s images directory.  So whoever did the hack had FTP or file-level access, as well as access to the database.

All in all, it was an almost undetectable hack, with very little consequence to the site in question—all our client’s site was doing was giving this chicken recipe site a boost in search engines, by pointing links to it from every page.  We figure that the change had been in place for at least several weeks, perhaps longer.

We immediately changed every password on that server—EE passwords, FTP passwords, and email passwords—and removed all the links, which was a bit of a whack-a-mole hunt.

We’re almost certain that the attacker first got the FTP password, and from there identified the EE database password by looking through the files. He (hackers are usually ‘he’s) then inserted the code into EE directly by accessing the database.  There’s clear evidence that the EE interface was not used to insert the recipe links.

So, how did the attacker get the FTP password? Well, that’s unclear.  But if you use regular FTP, there are many points between your computer and your server that the password, which is sent unencrypted, can be captured—from intervening routers, from an unsecured wifi network, etc. So starting immediately, we’re going to start using SFTP for every client, for every connection.  (We had been using SFTP for some sites, but not as a universal policy.)

If you still use regular old FTP, you’re taking a risk that simply doesn’t need to be taken—like leaving your keys in your car.

And if you’re using EE—it looks like there’s at least one sophisticated hacker out there who can figure out how to subvert your EE installation simply with database access.  EE is as secure and safe as any system I’ve used, but if it’s on an unsecured server, it’s just as vulnerable as the worst software out there.

Posted by Travis Smith at 4:10 PMTracker Pixel for Entry

Comments

Something I’d like to add to this is that checking your site daily can easily help prevent these attacks from being on your site for longer than they would normally if you didn’t check. I check my site everyday, esp since I was attacked with the infamous adding of the iframe tags from a porn site - located somewhere in China.

My site is for all ages, not adults only. As such I cannot afford to have that content muttering my pages.

I since switched to SFTP and use it soley. I hope it helps better than not. We’ll see as time progresses.

Reading this article helped me realize the potential danger of NOT using SFTP. I’d advise anyone not doing so to start today.

By Daniel Murphy from USA on May 5, 2008

Add Your Comment

Please enter the word you see in the image below:


From the Blog

  • Click to fill out the Hop Studios Quote Request Form



 

Recent Blog Posts

RSS Feed


Archives