Brute Force FTP Password Hacking On The Rise
I know of at least six websites that I provide support for that have had
malicious code embedded into their web pages in the last few months. The
common entry point for the hackers in all of these cases has been FTP login.
Each site had simple username/password combinations and hence were fairly
easy to get into. It seems that the hackers are using an automated script
to insert their code as I've found that every single file with the filename
containing the words "index" or "default" gets modified, regardless of the
extension (whether .htm, .html, .php, .asp, etc...) and whether it's a file
that is actually even linked to or not.
Commonly, an invisible iframe gets inserted after the
<body> tag or then at the very end of the file to load external
content.
The file on the remote site then delivers the real payload. Sometimes
javascript code is inserted instead of an iframe. Again, the javascript
code loads an external javascript file which contains the real payload.
If your clients haven't made recent backups you will need to either manually
remove the offending code snippets or then create a script to do it for you
(if many files are affected). If you leave the code in place or don't
remove it quickly enough, the site will end up getting on Googles black
list. Browsers like Firefox will then not show the site and instead put up
a big red warning page. IE will continue to show the hacked pages and is
probably the target of the malicious code in the first place. If your site
does get black listed you will need to go request a re-scan from Google.
The easiest way to avoid this hack is just to make sure all your (and your
clients) passwords are not overly simple. The password "password" is not a
good choice while "fuMrHack8" is better.
malicious code embedded into their web pages in the last few months. The
common entry point for the hackers in all of these cases has been FTP login.
Each site had simple username/password combinations and hence were fairly
easy to get into. It seems that the hackers are using an automated script
to insert their code as I've found that every single file with the filename
containing the words "index" or "default" gets modified, regardless of the
extension (whether .htm, .html, .php, .asp, etc...) and whether it's a file
that is actually even linked to or not.
Commonly, an invisible iframe gets inserted after the
<body> tag or then at the very end of the file to load external
content.
The file on the remote site then delivers the real payload. Sometimes
javascript code is inserted instead of an iframe. Again, the javascript
code loads an external javascript file which contains the real payload.
If your clients haven't made recent backups you will need to either manually
remove the offending code snippets or then create a script to do it for you
(if many files are affected). If you leave the code in place or don't
remove it quickly enough, the site will end up getting on Googles black
list. Browsers like Firefox will then not show the site and instead put up
a big red warning page. IE will continue to show the hacked pages and is
probably the target of the malicious code in the first place. If your site
does get black listed you will need to go request a re-scan from Google.
The easiest way to avoid this hack is just to make sure all your (and your
clients) passwords are not overly simple. The password "password" is not a
good choice while "fuMrHack8" is better.