Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTP Hacking on the Rise

Posted by CmdrTaco on from the how-long-before-a-protocol-becomes-retro dept.

yahoi writes "The disco-era File Transfer Protocol (FTP) is making a comeback, but not in a good way — spammers are now using the old-school file transfer technology to serve up bot malware, and even as a backdoor into some enterprises that neglect to lock down their oft-forgotten FTP servers. Researchers at F-Secure have spotted a new wave of exploits that use FTP — rather than a malicious URL, or an email attachment — to deliver their malware payloads because few gateways scan for FTP attachments these days."

15 of 212 comments (clear)

  1. Uh oh by B3ryllium · · Score: 4, Insightful

    Further proof that FTP is for chumps. :) scp to the rescue!

    1. Re:Uh oh by B3ryllium · · Score: 5, Insightful

      Disco-era? It was first implemented in 1995. That's the New Kids era, not the Disco era.

    2. Re:Uh oh by ivan256 · · Score: 5, Insightful

      Some of us don't care to waste cycles encrypting data that doesn't need to be encrypted.

    3. Re:Uh oh by B3ryllium · · Score: 2, Insightful

      "Disco-era" is meant literally in the case of the original post, since its advent coincides with that of disco music.

      And being one of the most widely used protocols doesn't mean it's not for chumps. It just means there are a lot of chumps.

  2. Big deal.. by Junta · · Score: 5, Insightful

    First off, since when is a 'URL' considered a transport mechanism rather than syntax for specifying a transport mechanism and location? Is ftp://whatever.example.com/badcode/ not a URL because it's ftp now? That's a goofy statement.

    And then, this isn't about ftp being hacked, just that bad software is being hosted using ftp as well as http (which I presume is what is meant by 'URL' or being emailed.

    And, ftp is not merely an ancient, deprecated protocol. It's still widely used because it does what is intended for well and works under high load readily.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Big deal.. by PlusFiveTroll · · Score: 2, Insightful

      Yes because http is the best way to download a directory of uncompressed files all at once

      Stuffing everything in a big compressed file sucks for dial up users, ftp has its purpose.

    2. Re:Big deal.. by Mr.+Sketch · · Score: 4, Insightful

      is there any reason to use ftp instead of the ssh file transfer protocol (sftp)? Well, since no version of Windows I know of comes with SSH/SCP/SFTP support out of the box, I think you have your reason right there. People don't want to have to download third party programs to do what they consider basic tasks, so providers fall back to protocols that have wide support (HTTP/FTP). Bittorrent seems to be an anomaly in this argument, but probably because it has more uses.
      --
      Things you think are in the Constitution, but are not.
  3. FTP attachments? by Anonymous Coward · · Score: 5, Insightful

    because few gateways scan for FTP attachments these days.

    Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

    Can anybody translate this into something that makes sense?

  4. FTP Attachment? by flajann · · Score: 3, Insightful

    What the hell is a "FTP attachment"?
    Doesn't make sense.

    --
    Ruby Neural Evolution of Augmenting Topologies
  5. NEXT! by Frosty+Piss · · Score: 3, Insightful

    I'm sorry, but if when setting up server services the admin "forgets" to lock down FTP, they need to be canned. That is all. NEXT.

    --
    If you want news from today, you have to come back tomorrow.
  6. Re:F-Secure are FUDmeisters by IBBoard · · Score: 3, Insightful
    And it's all in the final line of TFA:

    Better make sure your gateway scanner is configured to scan FTP traffic as well. Our F-Secure Internet Gatekeeper does this by default.

    "This wasn't done as a sales pitch, but buy our Gatekeeper software!"

    So what's the major difference between an FTP hosted file and a HTTP hosted file for most people? Either way it downloads a file from a site that they can be convinced to run. Sounds all about the same to me.
  7. Nothing wrong with ftp by koffie · · Score: 4, Insightful

    except perhaps for the sloppy authentication in the clear and the awkward use of random ports initiated in the wrong direction (from server to client).

    What is wrong is that there are ftp servers allowing anonymous write access. That is how those miscreants work: they put a malicious file up on an anonymous ftp server (that allows write access) and then craft ftp URLs to spam people with.

    I remember we warned all ftp server administrators about the issue 10 or more years ago, back when I was a rookie.

    Of course scp/sftp is way better, everyone knows that. Or not?

  8. Re:FTP is BAD! About DAMN time THAT makes press by Aceticon · · Score: 2, Insightful

    Well, when the username is "guest" and the password is "anyemail@example.com" it hardly needs encrypting.

    PS: The typical way to anonymously access and FTP server is using the "guest" or "anonymous" usernames and any e-mail address as password. This is actually the way a browser will access an ftp:// URL.

  9. Re:Dear Internets by nacturation · · Score: 2, Insightful

    Please explain how to upload pages to a shared webserver in co-lo using BitTorrent. WebDAV over SSL doesn't require FTP.
    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  10. Re:What's next? by CronoCloud · · Score: 2, Insightful

    nobody has a client that can handle it anymore


    Actually Lynx, Camino, Konqueror, Firefox, Mozilla/Seamonkey suite, and IE7 can all handle Gopher.