PHP FTP - Is there a way of seeing if FTP was initiated by PHP?

views:

answers:

+5 Q:

PHP FTP - Is there a way of seeing if FTP was initiated by PHP?

I have had an attack on my web server where .html files were copied by FTP into a public html directory.

The FTP password was very strong.

I'm trying to determin whether PHP initiated the FTP transfer. Is there an Apache or Nix log file that can give me this information?

Additional information I have FTP log entries which seem to show different IPs were used to login and copy the files. I'm not sure but does the ? before the IP indicate except it is not the account user (which in this case is kingdom)? It looks like several different IPs logged - each one copying a different file - all in the space of less than 30 seconds. The offending files are "mickey66.html", "mickey66.jpg", and "canopy37.html".

2010-06-17T21:24:02.073070+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in

2010-06-17T21:24:06.632472+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in

2010-06-17T21:24:07.216924+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/mickey66.html uploaded (80 bytes, 0.26KB/sec)

2010-06-17T21:24:07.364313+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.

2010-06-17T21:24:08.711231+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in

2010-06-17T21:24:10.720315+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/mickey66.jpg uploaded (40835 bytes, 35.90KB/sec)

2010-06-17T21:24:10.848782+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.

2010-06-17T21:24:18.528074+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.

2010-06-17T21:24:22.023673+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in

2010-06-17T21:24:23.470817+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/mickey66.html uploaded (80 bytes, 0.38KB/sec)

2010-06-17T21:24:23.655023+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.

2010-06-17T21:24:26.249887+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in

2010-06-17T21:24:28.461310+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/canopy37.html uploaded (80 bytes, 0.26KB/sec)

2010-06-17T21:24:28.760513+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.

+2 A:

You might have a malware on your workstation that runs your FTP client. The malware must steal passwords from your FTP client and send it to some third-party.

This happened to us. All our landing pages were injected with malicious code/ iframe-url code that will download this malware on all machines that opens the page in browser.

this. __curious_geek 2010-06-21 10:41:14

Thank you - I'm now running virus scan.

Mark Flint 2010-06-21 12:28:32

After doing a whole computer scan with AVG there does not appear to be any virus on my workstation. No one else had FTP passwords, so I conclude, in this case, this was not malware stealing passwords from FTP client.

Mark Flint 2010-06-21 16:03:15

+1 A:

I have had an attack on my web server where .html files were copied by FTP into a public html directory.

How do you know they were copied via FTP?

The FTP password was very strong.

Not really very relevant. FTP sends passwords unencrypted - so even assuming that the files were delivered via FTP, if the password was sniffed its irrelevant how much entropy it has.

I'm trying to determin whether PHP initiated the FTP transfer

You can't tell what the client was. Even if, like HTTP, the protocol provided for collecting information about the user-agent, there is no way of determining the accuracy of this information (it's sent by the client, therefore can be manipulated by the client).

Your FTP server log should have recorded details of which IP address / user account uploaded which files and when. But don't be surprised if there's nothing relevant in there.

symcbean 2010-06-21 11:10:19

I've updated the question with the FTP server log - it seems that the attacker used multiple IP address and was able to login with the account user name as well as ? user (is that 'root').

Mark Flint 2010-06-21 12:02:22

+1 A:

As far as I know, the FTP protocol does not have a User-Agent header or anything similar. Even if it had so, why would malware writers add code to actively identify their software as malware? And, why would you want to prevent legitimate use of scripting tools like PHP?

These kind of attacks normally come from two sources:

Vulnerable scripts hosted in a public web server
Hosting clients that got their PCs compromised

If —as you seem to suggest— you actually have FTP logs to prove that those files were uploaded via FTP using your credentials, you probably have the IP address the files came from. Check whether it's your address and, in any case, grab a good virus scanner.

Álvaro G. Vicario 2010-06-21 11:18:12

Hi, thanks. The IPs used were not mine, but is it possible for an attacker to spoof the IP addresses in the log?

Mark Flint 2010-06-21 12:04:10

If they manage to hack the FTP server itself... But why wouldn't they just remove the log entries? Look for them at http://www.all-nettools.com/toolbox/smart-whois.php and, of course, change the FTP password if you haven't done it.

Álvaro G. Vicario 2010-06-21 12:22:02

After looking up the IPs involved they appear to originate in Austria, Poland, Brazil, Israel and Sweden. That's 5 separate countries! All that to copy 3 small files. That's bizarre. I have opened a separate question to see if I can get any answers on this (http://stackoverflow.com/questions/3086438/server-ftp-attack-from-multiple-ip-addresses-spanning-5-countries-how-can-this)

Mark Flint 2010-06-21 16:25:34

ansaurus

tags:

views:

answers:

PHP FTP - Is there a way of seeing if FTP was initiated by PHP?

related questions