Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTP Hacking on the Rise

Posted by CmdrTaco on from the how-long-before-a-protocol-becomes-retro dept.

yahoi writes "The disco-era File Transfer Protocol (FTP) is making a comeback, but not in a good way — spammers are now using the old-school file transfer technology to serve up bot malware, and even as a backdoor into some enterprises that neglect to lock down their oft-forgotten FTP servers. Researchers at F-Secure have spotted a new wave of exploits that use FTP — rather than a malicious URL, or an email attachment — to deliver their malware payloads because few gateways scan for FTP attachments these days."

18 of 212 comments (clear)

  1. What's next? by Anonymous Coward · · Score: 5, Funny

    Gopher?

    1. Re:What's next? by gnick · · Score: 5, Funny

      Gophers are actually not that hard to hack, although most of my experience is with prairie dogs. About 250 yards out with a decent scope and 'opening a port' is not that hard. Known exploit.

      --
      He's getting rather old, but he's a good mouse.
    2. Re:What's next? by ObsessiveMathsFreak · · Score: 4, Funny

      WARNING: Attempting to hack Groundhogs may result in an infinite loop.

      --
      May the Maths Be with you!
  2. Uh oh by B3ryllium · · Score: 4, Insightful

    Further proof that FTP is for chumps. :) scp to the rescue!

    1. Re:Uh oh by B3ryllium · · Score: 5, Insightful

      Disco-era? It was first implemented in 1995. That's the New Kids era, not the Disco era.

    2. Re:Uh oh by ivan256 · · Score: 5, Insightful

      Some of us don't care to waste cycles encrypting data that doesn't need to be encrypted.

    3. Re:Uh oh by winkydink · · Score: 5, Funny

      Agree. The disco era ended sometime in the late 70's / early 80's. Of course, that's before half of the /. posters were born, so it's understandable that they wouldn't know this.

      Hey! You! Get off my lawn!

      --

      "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    4. Re:Uh oh by Anonymous Coward · · Score: 5, Funny

      The disco era ended sometime in the late 70's / early 80's. It didn't end, it just got too cool for you.

      -- Disco Stu
    5. Re:Uh oh by fizzup · · Score: 4, Informative

      I think you may have misunderstood. RFC 114 refers to FTP, which is from the 70s. The poster was talking about scp, which is certainly from the mid-90s.

      Now, whether 1971 counts as disco-era is another question. I would say that it is pre-disco, since every school child knows that the disco era started with Soul Makossa in 1973.

    6. Re:Uh oh by HTH+NE1 · · Score: 4, Informative

      Hmm, scp has built-in support for transfering an entire directory with one command natively, but sftp can be used to transfer files between two servers while being controlled from a third site such that the transfer doesn't pass through the controlling client (useful for maintaining from a dial-up connection two high-speed servers that don't grant shell access).

      Decisions, decisions.

      --
      Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
  3. Big deal.. by Junta · · Score: 5, Insightful

    First off, since when is a 'URL' considered a transport mechanism rather than syntax for specifying a transport mechanism and location? Is ftp://whatever.example.com/badcode/ not a URL because it's ftp now? That's a goofy statement.

    And then, this isn't about ftp being hacked, just that bad software is being hosted using ftp as well as http (which I presume is what is meant by 'URL' or being emailed.

    And, ftp is not merely an ancient, deprecated protocol. It's still widely used because it does what is intended for well and works under high load readily.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Big deal.. by Mr.+Sketch · · Score: 4, Insightful

      is there any reason to use ftp instead of the ssh file transfer protocol (sftp)? Well, since no version of Windows I know of comes with SSH/SCP/SFTP support out of the box, I think you have your reason right there. People don't want to have to download third party programs to do what they consider basic tasks, so providers fall back to protocols that have wide support (HTTP/FTP). Bittorrent seems to be an anomaly in this argument, but probably because it has more uses.
      --
      Things you think are in the Constitution, but are not.
  4. And the newest exploit... by downix · · Score: 4, Funny

    They have conquered WWW and Email, now FTP, next on their list... NTP! Yes, hacking through your clock, I can see it now! Malware which will make you either cronically early, or late!

    --
    Karma Whoring for Fun and Profit.
  5. Different protocol, but same stupidity by DigitalSorceress · · Score: 5, Informative

    Well, for my money, anyone who blindly clicks on a link.... FTP or HTTP and runs an executable that comes from it is going to get infected regardless of what protocol was used for it.

    The fact that a lot of gateways prevent certain actions based on the protocol just makes the "any key" users blindly click on stuff without worry - after all, they've "got protection"

    When it comes to any infection vector that involves social engineering, your brain (should you choose to use it) is your best virus protection.

    --

    The Digital Sorceress
  6. FTP attachments? by Anonymous Coward · · Score: 5, Insightful

    because few gateways scan for FTP attachments these days.

    Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

    Can anybody translate this into something that makes sense?

  7. FTP through email by whitehatlurker · · Score: 4, Interesting
    This has come full circle - back before internet connectivity was so wide spread, there were a few ftp via email gateways. (Yes, there were other networks alongside the internet.) You'd send your ftp commands and get email back (a few days later or the next week) with the uuencoded result.

    Now you have email viruses delivered via FTP. Cool.

    Yeah I'm old - get off my lawn!

    --
    .. paranoid crackpot leftover from the days of Amiga.
  8. FTP is BAD! About DAMN time THAT makes press by spitek · · Score: 4, Informative

    Clear TXT PASSWD = BAD Might as well bend over. I've made my hosting customers use SFTP/SCP for YEARS. Been very happy I have. Just like POP3 one day.. IF we are lucky people will stop using it. It's like sending your tax return to the IRS in a clear envelope with your name birth date and SS # showing. Just plan STUPID!

  9. Nothing wrong with ftp by koffie · · Score: 4, Insightful

    except perhaps for the sloppy authentication in the clear and the awkward use of random ports initiated in the wrong direction (from server to client).

    What is wrong is that there are ftp servers allowing anonymous write access. That is how those miscreants work: they put a malicious file up on an anonymous ftp server (that allows write access) and then craft ftp URLs to spam people with.

    I remember we warned all ftp server administrators about the issue 10 or more years ago, back when I was a rookie.

    Of course scp/sftp is way better, everyone knows that. Or not?