Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTP Hacking on the Rise

Posted by CmdrTaco on from the how-long-before-a-protocol-becomes-retro dept.

yahoi writes "The disco-era File Transfer Protocol (FTP) is making a comeback, but not in a good way — spammers are now using the old-school file transfer technology to serve up bot malware, and even as a backdoor into some enterprises that neglect to lock down their oft-forgotten FTP servers. Researchers at F-Secure have spotted a new wave of exploits that use FTP — rather than a malicious URL, or an email attachment — to deliver their malware payloads because few gateways scan for FTP attachments these days."

7 of 212 comments (clear)

  1. Uh oh by B3ryllium · · Score: 4, Insightful

    Further proof that FTP is for chumps. :) scp to the rescue!

    1. Re:Uh oh by B3ryllium · · Score: 5, Insightful

      Disco-era? It was first implemented in 1995. That's the New Kids era, not the Disco era.

    2. Re:Uh oh by ivan256 · · Score: 5, Insightful

      Some of us don't care to waste cycles encrypting data that doesn't need to be encrypted.

  2. Big deal.. by Junta · · Score: 5, Insightful

    First off, since when is a 'URL' considered a transport mechanism rather than syntax for specifying a transport mechanism and location? Is ftp://whatever.example.com/badcode/ not a URL because it's ftp now? That's a goofy statement.

    And then, this isn't about ftp being hacked, just that bad software is being hosted using ftp as well as http (which I presume is what is meant by 'URL' or being emailed.

    And, ftp is not merely an ancient, deprecated protocol. It's still widely used because it does what is intended for well and works under high load readily.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Big deal.. by Mr.+Sketch · · Score: 4, Insightful

      is there any reason to use ftp instead of the ssh file transfer protocol (sftp)? Well, since no version of Windows I know of comes with SSH/SCP/SFTP support out of the box, I think you have your reason right there. People don't want to have to download third party programs to do what they consider basic tasks, so providers fall back to protocols that have wide support (HTTP/FTP). Bittorrent seems to be an anomaly in this argument, but probably because it has more uses.
      --
      Things you think are in the Constitution, but are not.
  3. FTP attachments? by Anonymous Coward · · Score: 5, Insightful

    because few gateways scan for FTP attachments these days.

    Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

    Can anybody translate this into something that makes sense?

  4. Nothing wrong with ftp by koffie · · Score: 4, Insightful

    except perhaps for the sloppy authentication in the clear and the awkward use of random ports initiated in the wrong direction (from server to client).

    What is wrong is that there are ftp servers allowing anonymous write access. That is how those miscreants work: they put a malicious file up on an anonymous ftp server (that allows write access) and then craft ftp URLs to spam people with.

    I remember we warned all ftp server administrators about the issue 10 or more years ago, back when I was a rookie.

    Of course scp/sftp is way better, everyone knows that. Or not?