FTP Logs Used to Determine Attack Vector

  • June 10, 2019
FTP Logs Used to Determine Attack Vector

Logs can be very useful because they are a record of what was done by whom. They are especially useful when you need to find out more on how a website has been compromised. Since our job at Sucuri is to clean website malware, we don’t have any access to logs, or what we can see is very limited.

However, to help make the internet a safer place, we like to extend ourselves and conduct some forensics to investigate how some accounts are compromised. This particular website had been reinfected multiple times. In many cases, this is due to a different attack vector like a stolen control panel password for stolen FTP password.

The Importance of Changing Passwords Regularly

Daily we recommend our customers to change all of their passwords.

Changing passwords is not just a precaution, it can make all the difference between a website being reinfected and staying clean. Waiting even a few hours can be critical. If the password isn’t change initially it opens it up to malicious users to upload malware via FTP .

FTP Logs

The amount of logs and what can be learned from them depends on the hosting provider and how the server is configured. In this case, the client was using cPanel. Luckily, they had a sufficient amount of logs for us to conduct a full investigation.

In the screenshot below, you can see the cPanel file manager interface. Apache access logs and ftp_log files (aka FTP logs), are normally stored under /home/user/logs/. These are the logs from February 2019:

logs from February 2019

The logs can look pretty intimidating if you are not sure how to read them and what they mean.

Here is a very helpful document regarding reading proftpd logs.  cPanel uses these logs and it shows how the logs are structured.

A typical log entry consists of the following values:

current-time   transfer-time remote-host   file-size filename transfer-type   special-action-flag direction access-mode   username service-name authentication-method  authenticated-user-id completion-status

We are mainly looking for the time, direction, and username in the following structure (all one line).

Current-time – Current local time at the time of transfer.

Direction – is the direction of the transfer. Can be one of:

o – outgoing

i – incoming

d – deleted

Username – is the local username, or if guest, the ID string given.

In the log example below, there were two usernames we found:

1. ambient@DOMAIN.us – the username used to log in and upload the file in question.

2. reapdeveloper@reap.DOMAIN.com is another FTP account  used to upload the malware.

Uploaded Malicious Files via FTP

You can see from the logs that the files uploaded (incoming) via FTP:

Thu Feb 07 04:18:02 2019 0 150.107.189.51 260 /home/USER/public_html/DOMAIN.us/magem-.php a _ i r ambient@DOMAIN.us ftp 1 * c

Tue Feb 12 00:59:31 2019 0 115.118.113.154 1254 /home/USER/reap.DOMAIN.com/wpadmin.php a _ i r reapdeveloper@reap.DOMAIN.com ftp 1 * c

Tue Feb 12 03:29:56 2019 0 115.118.113.154 0 /home/USER/public_html/DOMAIN.us/wpadmin.php a _ o r ambient@DOMAIN.us ftp 1 * c

Tue Feb 12 03:30:49 2019 0 115.118.113.154 1254 /home/USER/public_html/DOMAIN.us/wpadmin.php a _ i r ambient@DOMAIN.us ftp 1 * c

Tue Feb 12 03:31:51 2019 0 115.118.113.154 1292 /home/USER/public_html/DOMAIN.us/wpadmin.php a _ o r ambient@DOMAIN.us ftp 1 * c

Tue Feb 12 03:31:59 2019 0 115.118.113.154 1256 /home/USER/public_html/DOMAIN.us/wpadmin.php a _ i r ambient@DOMAIN.us ftp 1 * c

Tue Feb 12 03:33:59 2019 0 115.118.113.154 1257 /home/USER/public_html/DOMAIN.us/wpadmin.php a _ i r ambient@DOMAIN.us ftp 1 * c

Initially the website was compromised on February 7th. Though it was cleaned, the passwords for the FTP users were not reset. This allowed the website to be compromised again and have additional malware uploaded on February 12th. After a full investigation, we cleaned the following files:

CLEARED: Cleared malware from file: ./magem-.php

CLEARED: Cleared malware from file: ./wpadmin.php Details: php.backdoor.wpuser.003

CLEARED: Cleared malware from file: ../..//reap.DOMAIN.com/wpadmin.php Details: php.backdoor.wpuser.003

Conclusion

Changing all passwords and not reusing them is important. As you can see, multiple FTP accounts were compromised and used to upload malware over and over again.

Changing database and control panel passwords is a good security practice since malware can get into the website via the database. Here are some quick tips on how to create strong passwords:

If you are looking for a website security solution, you can count on Sucuri to clean up and protect your website from further attacks.

 

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Related Tags
Related Categories
You May Also Like