My passwords cracked & used to upload viruses to websites. How??

[choie]

I feel filthy. Today I went to one of my client’s websites after uploading some updates – this is an html-based site, no Wordpress or other CMS (content management system). When I browsed to make sure the updates looked good, I immediately received an alert from AVG antivirus that three javascript files were infected with the js/Redirect virus. These .js files were all regular scripts I’d created myself. I went to the files on my computer and looked via FTP at the scripts on the server. Each of the latter had been altered on Feb 28. My originals were still the same older date when I’d created them (June 2013).

I then went to another site, hosted at the same company but on a different server. Same problem. Compared the “last modified” dates again, and once more, the .js files on the server were updated Feb 28. Mine were much older.

Did the same for a final third site, hosted at a different company. You guessed it: same thing.

Even weirder was that these scripts were both in the main /public_html directory and subdirectories a few levels below that. However, scripts in my Wordpress directory (I have a couple of installations) on one of the sites were unmodified. This is surprising, to say the least: WP is one of the biggest attack targets on the web, if not the biggest.

Anyway, I immediately ran a virus scan on my system, and meanwhile wrote my host for the first two sites for any ideas on how this could’ve happened, describing the issue. As usual they had a swift answer for me–I do love these hosts!

Yes. Look at this file:

Fri Feb 28 17:46:34 2014 0 (IP deleted) 3535 /home/(domain username deleted)/public_html/directory/includes/overlib/overlib_exclusive.js a _ i r (domain username deleted) ftp 0 * c

Your passwords have been broken, and your credentials were used to directly FTP to the server, download each one, insert a payload, and reupload. First thing: change your passwords, of course. Next up: scan your machine(s) with whatever up to date antivirus/malware scanner you have. The files themselves of course will need to to be reuploaded with clean copies to get rid of the bad payloads in those files.

The above-named file is a PHP directory program. Not sure exactly what the rest of stuff after the .js filename means.

So, okay, clearly it was my fault and I’m sickened by the thing.

What I don’t understand is how they simultaneously cracked my passwords. I don’t keep these passwords in the same place. They’re all non-standard words / characters. And they’re all different domains. How in heaven’s name did this happen? How did someone get access to my system, find the secretly named files (and in at least one case the file wasn’t even the whole password, just a word reminding me of the password phrase), figure out which one went with which site, and then do all of the above?!

I ran AVG and it did find and secure 30 trojans, but they were all in deleted emails I’d never opened or viewed. (My stupidity was in not deleting them from my Deleted Items tray, but if they download and I don’t open the attachments, can they still infect me?)

[drachillix]

choie:

if they download and I don’t open the attachments, can they still infect me?)

If they were in outlook or another mail client they could have exploited a security issue in the mail program and deployed.

[choie]

Thanks! But oy. It’s Windows Live Mail (desktop version), which is basically Outlook, which means ‘yes.’ Crapples. drachillix, your lovely computer that you built for me has been violated!

That bites. I really really prefer to keep a desktop client vs. just using Gmail. I’ve kept it updated… sigh.

Could I have a keylogger somewhere on the system? That’s the only thing I can fathom regarding how they’d have cracked these things as well as linking them to the domains. In which case God only knows what they’ve wrought.

AVG didn’t find anything. I guess I’d better do a MalwareBytes scan as well.

[tellyworth]

One possibility is that the password files on the server(s) were compromised and brute-forced. Even if they were on different servers the hosting company might use centralized auth.

Another is that your FTP client stored or logged the passwords insecurely on your PC, and that file was compromised.

There probably isn’t enough info here to be sure. I know you believe your passwords to be secure, but the way you describe them doesn’t rule out various insecurities there. If they were unencrypted and your PC has been infected with malware, then there are a bunch of possibilities.

[ZipperJJ]

Yeah your FTP app was probably compromised. What do you use?

Happened to me one time. Was awful and took a long time to clean up.

[choie]

Thanks, tellyworth. Edited to add: And ZipperJJ! You ninjaed your way in there.

Yeah, I know there are plenty of ways I could’ve screwed up somewhere, alas. I use CuteFTP Professional 8.0, but I’m not sure if they encrypt passwords (or how).

I did notice that there was another date where a few of the site’s index.php files were accessed/messed with: Jan 17. I know I didn’t do any work on these particular files (it’s the same program listed above), so I wonder if this program has known security issues. It seems as if they accessed the site twice. But I don’t know what that tells me, if anything. Well, MalwareBytes is running and we’ll see if this gives any clues. I’ll probably go to bleepingcomputer or one of the other usual malware-fighting places to see if I’m clear or not.

[Claverhouse]

tellyworth:

One possibility is that the password files on the server(s) were compromised and brute-forced. Even if they were on different servers the hosting company might use centralized auth.

There were two different hosts. I would go with your FTP idea more, or, obviously excluding family, see if anyone had access to the machine.

ZipperJJ:

Happened to me one time. Was awful and took a long time to clean up.

Personally, I keep a duplicate site in waiting on the server:
as in www. jjj is on the server at /home/name/xx/public_html

exact duplicate is in */home/name/yy/public_html
*

If it goes west, take the site offline, change /xx to /aa with FTP, then change /yy to /xx

Turn it back on. Erase /aa. I’m tending to not waste golden hours hunting down infinitely tedious changed files when I could be watching Ponyo.

Doesn’t work for forums of course, but forum hosters keep hourly back-ups anyway.
Anyway, this inspired me to quickly check some sites with Securi Sitecheck…

[choie]

Hi Claverhouse. Well, if this inspires anyone to check the security of their sites/computer, it’s all worth it. (Okay, not really. I’m nice but I’m not that noble.)

I agree that the CuteFTP client is by far the most likely suggestion, and I’m kind of annoyed I didn’t think of it myself. I was focusing on keylogging, but I’m almost certain I haven’t logged into all those control panels manually since before mid-January (one, yes, but not the others), so something stored on my hard drive makes more sense–and since they focused on the websites, the FTP is an excellent suggestion.

Oh and yep, we can definitely rule out anyone else having access to my system. I know one of my cats is thisclose to developing opposable thumbs–seriously, some of the things he manages to grab and hold w/his paws freak me out–but I’m pretty sure he can’t mash the keyboards with any accuracy. Yet.

Even if I know it was CuteFTP, the bastards got access to it somehow, which means I was lax in security somewhere, most likely via the email drachillix suggested or maybe some website? I do know one forum I’ve visited keeps redirecting me to this URL shortener page, and I have to click the BACK button to get to the original URL. Maybe they’re the ones who infected me.

(Or, OTOH, it’s a sign of my own infection. I mean, my AVG did flag the virus as js.Redirect. But since that’s the only site where this happens, it’d be a pretty specific virus.)

[Claverhouse]

Ah, there is remote access, beloved of both evil hackers and the Sword and Shield of our protection, the NSA, rather than people playing your hardware like a piano …
Apparently, some can use open ports or LogMeIn ( the latter with your user credentials probably; but who knows how clever they are getting ? ) to get in and look around. I’m not really interested enough in other people to spy on them, but it takes all sorts.
Don’t have cats at the moment sniff. But give yours my regards.

[ZipperJJ]

Claverhouse:

Personally, I keep a duplicate site in waiting on the server:

.

My situation involved having the
Master FTP account for one of my web servers hacked from my FTP app. Meant it could access and hack over a dozen of my client’s sites that I had done no editing on. I wouldn’t have been able to keep up with copying them all.

I did have to keep up with cleaning them all up, as it was my fault they got hit.

[si_blakely]

First, fix your passwords.

Then, stop using FTP. Get it disabled on the domains you manage and use SCP (I like WinSCP, but there are other options). The attackers could have picked your FTP passwords off the wire with a sniffer, either at your end, via a compromised home router, ISP link or (most likely) at the hosting end. FTP is not encrypted, and passwords are transferred from client to host as plain text.

[choie]

Thanks, everyone.

The swapping of directories as backups wouldn’t have helped much in this case, since as long as I had a password to the site, they got access to it. So sites on various servers to which I had usernames/passwords were infected throughout almost the whole directory system, including folders several levels down. Which is an incredibly tedious process to clean up, as you can imagine.

Oddly, my host seems to be certain that my having a proper virus scanner and super-hard passwords would make FTP perfectly safe. But since FTP transmits the passwords in clear text, any protecting of my own system doesn’t help if they’ve already got access to it.

I’ve asked a few times if I can use anything from SFTP, FTP/S, to SCP, and I’m not getting an answer. So I’ll ask you guys. How do I use WinSCP? Do I need to do anything on the host server’s end, or is it all client-based?

[BigT]

choie:

I’ve asked a few times if I can use anything from SFTP, FTP/S, to SCP, and I’m not getting an answer. So I’ll ask you guys. How do I use WinSCP? Do I need to do anything on the host server’s end, or is it all client-based?

SCP is a completely different protocol from FTP, so, yes, something has to be done on their end. The same goes for your other options.

The only way that those protocols would work is if they are already set up on the server. Though SSH and SFTP often go together, so if you have one you likely have the other.

[tellyworth]

si_blakely:

Then, stop using FTP.

This. Also, use version control. Subversion, Git, whatever floats your boat.

[si_blakely]

SCP requires SSH (secure shell) access. If you have just a hosting package, you may not have this.

Otherwise, they need to run an SFTP server, or provide one accessed via SSH. To not do so these days is pretty poor hosting. Maybe you should consider migrating to a web host that does.

[Claverhouse]

I just use FireFTP with the protocol set to SFTP, SSH over FTP. Computer nerds loving confusion there was also SFTP meaning Simple FTP once…
Can’t remember even setting up the SSH, possibly in a trance, but Dreamhost has it in the panel. DH regards SCP as superseded.
Anyway there is no such thing as a secure website, and separately, no such thing as a secure host.