Compromised System: FTP
A domain/domains have had malicious code appended to common index files on the system (index.php, index.html, etc). This is a common exploit method used to compromise CLIENTS connecting to the targetted system because of its status as a trusted host.
 Vector of Attack
The most common vector of attack used is to compromise a users FTP password, using the same means as above. It is *very* common in hosting environments. The attacker then logs in with legitimate credentials, downloads web files (index.html, index.php, etc) and then uploads them with malicious code appended.
 Forensic Procedures
Step 1) Check last logs for the owner(s) of the effected domain, in this example the user is "david":
[root@server1 ~]# last david david ftpd32001 22.214.171.124 Thu Nov 27 02:49 - 03:15 (00:25) david ftpd26860 126.96.36.199 Thu Nov 27 02:37 - 02:48 (00:11) david ftpd32383 188.8.131.52 Sun Nov 23 17:34 - 17:37 (00:03) david ftpd15631 184.108.40.206 Mon Nov 17 11:36 - 11:45 (00:08) david ftpd8814 220.127.116.11 Mon Nov 17 11:27 - 11:32 (00:04) david ftpd8277 18.104.22.168 Mon Nov 17 11:27 - 11:32 (00:05) david ftpd8018 22.214.171.124 Sun Nov 16 05:40 - 05:45 (00:04) david ftpd7710 126.96.36.199 Sun Nov 16 05:40 - 05:45 (00:05) david ftpd7634 188.8.131.52 Sun Nov 16 05:39 - 05:44 (00:04) david ftpd18673 184.108.40.206 Fri Nov 7 16:01 - 16:04 (00:02)
Consult with the user what IP's they commonly connect with. In this example the IP 220.127.116.11 is known to be the users legitimate IP. 18.104.22.168 is the anomaly, and needs to be further investigated.
Step 2) Check /var/log/secure for access from the anomaly IP, 22.214.171.124. This is to identify how the account was accessed. A single login, with no failures would indicate that the attacker knew the users password in advance, indicating a compromised desktop. Multiple login failures would indicate that the attacker used a brute force attack to determine valid login credintials (We almost never see this. Its always an owned desktop. -Scott)
[root@server1 log]# grep 126.96.36.199 /var/log/secure* secure.4:Oct 31 11:04:35 server1 proftpd: server1.example.com (188.8.131.52[184.108.40.206]) - USER hrmmv: Login successful. secure.3:Nov 7 16:01:43 server1 proftpd: server1.example.com (220.127.116.11[18.104.22.168]) - USER hrmmv: Login successful. secure:Nov 23 17:34:10 server1 proftpd: server1.example.com (22.214.171.124[126.96.36.199]) - USER hrmmv: Login successful.
This example indicates that the attacker logged in on 3 separate occasions, with no login failures, indicating that the login credentials were known in advance.
Step 3) Using whois, identify the location for the IP:
[sshinn@gamera incoming]$ whois 188.8.131.52 % Information related to '184.108.40.206 - 220.127.116.11' inetnum: 18.104.22.168 - 22.214.171.124 netname: NEWRACK-NL descr: NewRack.eu NL department country: NL admin-c: SVS148-RIPE tech-c: SVS148-RIPE status: ASSIGNED PA mnt-by: WEDARE-MNT source: RIPE # Filtered person: Sergey V. Smirnoff address: OOO "Ronetel" address: Lenina 129 o. 17 address: Moscow address: Russia phone: +852 812 4838 fax-no: +852 812 4838 abuse-mailbox: email@example.com nic-hdl: SVS148-RIPE source: RIPE # Filtered
Step 4) Check the xfer_logs for the domain, which are located in: /var/www/vhosts/DOMAIN/statistics/xferlog_regular and /var/www/vhosts/DOMAIN/statistics/xferlog_regular.processed.1.gz
[root@server1 logs]# grep 126.96.36.199 /var/www/vhosts/DOMAIN/statistics/xferlog_regular Thu Nov 27 02:43:39 2008 299 188.8.131.52 4658688 /var/www/vhosts/DOMAIN/httpdocs/index.php a _ o r david ftp 0 * c
Using the above examples, this would indicate that the IP of 184.108.40.206, in .eu IP space, logged into the account on Nov 23, Nov 7, and Oct 31. On Nov 23, they uploaded the file index.php, which contained the malware. There were no login failures, indicating the credentials were known in advance. This could indicate that the users desktop has been compromised.