One of our clients reported that in his public_html directory some new directories and HTML files started to appear which he did not create. First think which comes to mind is that their FTP password has been compromised but after I looked at these files, it seems more like output of some bot, virus etc.
It seems the bot creates directories with names like “ambulancealphabetical”, “chemicalcollapse”, “enemyclimbing” etc.
Each of this directory contains directories with username-like names like “Anthony_Thomas38”, “Christopher_Alien80” etc.
Each of these directories then contain one file named “index.html” with content like this:
<meta http-equiv="Refresh" content="0; URL=http://dailybusinessfeed.com/?s=d6"><script>parent.location.href='http://dailybusinessfeed.com/?s=d6'</script>
Locations that these index.html files redirect to differ. Others are “9businessfeed.com/?s=d6”, “bizathome2012.com/?s=d6” etc.
There is also another directory that should not be there called “capbase” which contains subdirectory “mDBTWli” that contains file “index.html” that redirects to google.com.
Please, does anyone have an idea what could have created these directories and files? Is it a manifestation of some known virus?
Thanks very much.
does your client run any PHP or CGI applications on their site? Typically when files appear on your server, someone figured out how to exploit a file upload feature in a dynamic web application OR they were able to figure out how to execute code on your server which could be used to make your server download files from other locations and store them in the client’s public_html directory. You might want to investigate the transfer and error logs of that SiteWorx account to see if you can check out anything suspicious.
Suspicious activity would be anything referencing those files you mentioned, or POST/GET requests sent to very strange URL’s (outside the bounds of what the web application would normally use).
I thought it might have been attack of some bot/virus which is well-known, but after I scouted logs it turned out that the attacker was real person (I could see typos in FTP transfer log) and that after some invalid attempts he acquired FTP account password and then used this account to upload those files.
I still do not understand how he could know the FTP username which he brute-force attacked or how he could find out the 10-letter password (at least the client tells me it had 10 letters). It seems it must be somebody who knows client’s employees and probably watched them type the password and remember which letters it consists of.
FTP by default is not secure/encrypted. They could have sniffed the password. You can use FTP over TLS to combat the security problem (most clients such as filezilla have the ability to use TLS)
It’s also possible that the user uses the same password/username in other places, and the attacker was able to gain the password via some other service and using data they knew about the user, guessed the username. There are a lot of ways to get passwords unfortunately, the best thing to do is change passwords often, and don’t use the same password for every service.