How to investigate an FTP hack

February 26, 2011 — 6 Comments

If you have a website, there is a good change that one day you will get hacked. It happens. With so many possible ways to intercept connections & gain entry, you cannot safe guard them all, not permanently anyway. A determined intruder can get in. I myself have even had one of my cPanel accounts compromised. There are a number of methods for severely lowering the chances of an intrusion, but I will be saving that for it’s own article as it will be rather involved. For this article, I am going to show you how you can investigate a hack after it happens; specifically when it happens via FTP.

The most common way that a hacker gains access is with FTP. In order to do so, they must use your password. They can either simply guess it, have a bot guess it (see Dictionary attack and Brute force attack), or sniff it out from your computer. The last option involves installing software on your system that steals the password when you type it in.

In all the above cases, they gain your password and log in as you. The server thinks that you are the one connecting and has no way of telling that it is actually an intrusion; this is because they have authorized themselves as you. There are some precautions you can set up on the server to prevent password guessing, such as an brute force detecting firewall (See Config Server Firewall). Again, I’ll go into detail in a future article. Let us begin with what to do afteryou are hacked.

#1 – Identifying the hack

The first step is learning that you are hacked. There are some pretty obvious ones that will jump out at you and then there are those that you may never notice till you edit the file (see example 1.3).

#1.1 – Bad lines of code

Typical hacks simply insert code into your pages. If you are lucky (relatively speaking), the code will actually be not execute properly and will make your pages produce errors such as this:

You may also see miscellaneous other lines of errors or 500 Internal Server errors.

#1.2 – Home page is replaced

The hacker my opt to simply replace your entire page with their own. Typically I’ve seen this of the recreational or political hacker. Here are some unfortunate examples that I have witnessed on others’ sites:

Hacked site screen shot

Example 1

Hacked site screen shot

Example 2

#1.3 – Traffic stolen through .htaccess

This one is probably the worst one of them all. This elegantly simple hack will steal your traffic by directing all visitors that come from a search engine to the hacker’s site. Meaning, if someone finds your site on Google, they will never actually get to your page. They’ll be taken elsewhere. This is achieved through the .htaccess:

I say this one is the worst because it can go undetected for a long time. It will not produce errors on your site, and most people do not browse through their own code very often. The biggest tell tale sign is if you notice a significant drop in traffic. As a precaution, make it a habit to search your own website on search engines to see what comes up. You should be doing this anyway to keep track of your SEO practices.

#2 – What files have been hacked?

For the sake of this article, I’m going to use a recent example I ran across with a client. They were the victim of #1.1, bad lines of code. Here is the code that was actually at the bottom of their wordpress’ index page:

Obviously we know that the index.php file is infected, but what other files might be tainted as well? Lets find out. *Note: The following commands are done with SSH console to your VPS or dedicated server. If you do not have SSH acces, contact your hosting provider. They can do the following investigation for you.

From your document root, search for the bad code with a recursive ‘grep’ command. This can take a long time if you have a lot of files (I chose to ignore the error log because I’m looking for a list of infected files. I don’t need that list filled with extraneous hits of error log entries).

It would seem that the intruder went after nearly all the default php files on the account. A restore may be better than cleaning out each file, due to the sheer number of infected files.

#3 – When and Who did it?

Once you have found out how you’ve been hacked and where the bad file is, you can begin diving deeper. We’ll start with finding out when it occurred. A simple ‘list’ command will give you the date the file was modified.

Now we can search through the FTP logs to see who modified that file on Jan 14th. We’ll also be able to see what other files they modified:

#4 – We found the intruder, now what?

The list gives us the IP address of the intruder: 85.95.192.98. If you are feeling really curious, you can do a Geographic lookup of the IP to see where in the world it came from: IP Address locator. This particular threat was from France. Time to block that IP in our server’s firewall.

The list above also tells us two more pieces of information.

First, it gives us a list of modified files. We already knew most of them because of the search we did earlier for the hack code. If the hacker changed up which code they were using, the search through the logs will tell us what other files they touched. You can now look through the FTP logs for just that IP if you want.

Second thing that FTP log shows us, and most importantly, is what user logged in. In this case it was the main user “username”. The account holder’s user name. And because it was a successful authentication, we know that they have the password. You should change your password right away.

The next step is to remove the hack code from your files or do a restore. In our example, I opted to restore the entire account because there were so many files infected. I happened to have a backup from only 12 hours before the hack, so it made sense to restore. They are back to normal and everything is right in the world again.

In a future article, I’ll discuss way to prevent hackers and how to harden your server.

Jacob "Boom Shadow" Tirey

Posts Twitter

A linux web hosting administrator, a professional production sound man, and a renegade cop without nothing left to lose.... Ok, that last part is made up. In all seriousness, my passion in life is to help people; whether that be with help running their sites or with their productions. The name 'Boom Shadow' was given to me by a great group of filmmakers called Star Wipe Films. back in 2005 and has been with me since. I hope my site is helpful to you, and if there's something you need, drop me a line!
  • Alex

     nice post :)

  • Daronwolff

    very interesting many thanks i have the same trouble in my web site!

    • I am glad I could help out. Check back later; I should have the article about preventative measures written within the next week or two

      • Andrija

        Hey Jacob, what happened to the article about preventative measures ?

        •  @f53d74e66a77ac02a5db0bd5e67cf12c:disqus , sorry for the delay. Things have been a bit busy :)  I still plan on writing that article. I’ll be sure to let you know when its up. In the mean time, there is a really good article here: http://blog.servint.net/2011/09/08/help-us-help-you/

          The information in there is really useful and pretty much covers most of what I would write about as well.

          • Andrija

             Thanks Jakob :)