Archive for the ‘FTP’ Category

Brute-force malware targets email and FTP servers

Monday, September 30th, 2013
A piece of malware designed to launch brute-force password guessing attacks against websites built with popular content management systems like WordPress and Joomla has started being used to also attack email and FTP servers.

The malware is known as Fort Disco and was documented in August by researchers from DDoS mitigation vendor Arbor Networks who estimated that it had infected over 25,000 Windows computers and had been used to guess administrator account passwords on over 6,000 WordPress, Joomla and Datalife Engine websites.

Once it infects a computer, the malware periodically connects to a command and control (C&C) server to retrieve instructions, which usually include a list of thousands of websites to target and a password that should be tried to access their administrator accounts.

The Fort Disco malware seems to be evolving, according to a Swiss security researcher who maintains the Abuse.ch botnet tracking service. “Going down the rabbit hole, I found a sample of this particular malware that was brute-forcing POP3 instead of WordPress credentials,” he said Monday in a blog post.

The Post Office Protocol version 3 (POP3) allows email clients to connect to email servers and retrieve messages from existing accounts.

The C&C server for this particular Fort Disco variant responds with a list of domain names accompanied by their corresponding MX records (mail exchanger records). The MX records specify which servers are handling email service for those particular domains.

The C&C server also supplies a list of standard email accounts—usually admin, info and support—for which the malware should try to brute force the password, the Abuse.ch maintainer said.

“While speaking with the guys over at Shadowserver [an organization that tracks botnets], they reported that they have seen this malware family bruteforcing FTP credentials using the same methodology,” he said.

Brute-force password guessing attacks against websites using WordPress and other popular CMSes are relatively common, but they are usually performed using malicious Python or Perl scripts hosted on rogue servers, the researcher said. With this malware, cybercriminals created a way to distribute their attacks across a large number of machines and also attack POP3 and FTP servers, he said.

Source:  pcworld.com

Unusual file-infecting malware steals FTP credentials

Thursday, July 18th, 2013

A new version of a file-infecting malware program that’s being distributed through drive-by download attacks is also capable of stealing FTP (File Transfer Protocol) credentials, according to security researchers from antivirus firm Trend Micro.

The newly discovered variant is part of the PE_EXPIRO family of file infectors that was identified in 2010, the Trend Micro researchers said Monday in a blog post. However, this version’s information theft routine is unusual for this type of malware.

The new threat is distributed by luring users to malicious websites that host Java and PDF exploits as part of an exploit toolkit. If visitors’ browser plug-ins are not up to date, the malware will be installed on their computers.

The Java exploits are for the CVE-2012-1723 and CVE-2013-1493 remote code execution vulnerabilities that were patched by Oracle in June 2012 and March 2013 respectively.

Based on information shared by Trend Micro via email, a spike in infections with this new EXPIRO variant was recorded on July 11. “About 70 percent of total infections are within the United States,” the researchers said in the blog post.

Once the new EXPIRO variant runs on a system, it searches for .EXE files on all local, removable and networked drives, and adds its malicious code to them. In addition, it collects information about the system and its users, including Windows log-in credentials, and steals FTP credentials from a popular open-source FTP client called FileZilla.

The stolen information is stored in a file with a .DLL extension and is uploaded to the malware’s command and control servers.

“The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools,” the Trend Micro researchers said.

The theft of FTP credentials suggests that the attackers are either trying to compromise websites or are trying to steal information from organizations that is stored on FTP servers. However, it doesn’t appear that this threat is targeting any industry in particular, the Trend Micro researchers said via email.

Source:  csoonline.com

Alphabetical command line list (Microsoft)

Tuesday, July 13th, 2010

The following list of Microsoft commands may come in handy for the post DOS generation (definitions sold separately…):

Arp
Assoc
At
Atmadm
Attrib
Batch files
Bootcfg
Break
Cacls
Call
Change
Chcp
Chdir
Chkdsk
Chkntfs
Cipher
Cls
Cmd
Cmstp
Color
Command shell overview
Comp
Compact
Convert
Copy
Cprofile
CScript overview
Date
Defrag
Del
Dir
Diskcomp
Diskcopy
DiskPart
Doskey
Driverquery
Echo
Endlocal
Eventcreate
Eventquery
Eventtriggers
Evntcmd
Exit
Expand
Fc
Filter commands
Find
Findstr
Finger
Flattemp
For
Format
Fsutil
Ftp
Ftp subcommands
Ftype
Getmac
Goto
Gpresult
Gpupdate
Graftabl
Help
Helpctr
Hostname
If
Ipconfig
Ipseccmd
Ipxroute
Irftp
Label
Lodctr
Logman
Lpq
Lpr
Macfile
Mkdir (md)
Mmc
Mode
More
Mountvol
Move
MS-DOS subsystem configuration commands
Msiexec
Msinfo32
Nbtstat
Net services overview
Net services commands
Netsh command overview
Netsh commands for AAAA
Netsh commands for DHCP
Netsh diagnostic (diag) commands
Netsh commands for Interface IP
Netsh commands for RAS
Netsh commands for Routing
Netsh commands for WINS
Netstat
Nslookup
Nslookup subcommands
Ntbackup
Ntcmdprompt
Ntsd
Openfiles
Pagefileconfig
Path
Pathping
Pause
Pbadmin
Pentnt
Perfmon
Ping
Popd
Print
Prncnfg
Prndrvr
Prnjobs
Prnmngr
Prnport
Prnqctl
Prompt
Pushd
Query
Rasdial
Rcp
Recover
Redirection operators
Reg
Regsvr32
Relog
Rem
Rename
Replace
Reset session
Rexec
Rmdir
Route
Rsh
Rsm
Runas
Sc
Schtasks
Secedit
Set
Setlocal
Shift
Shutdown
Sort
Start
Subst
Systeminfo
System File Checker (sfc)
Taskkill
Tasklist
Tcmsetup
TCP/IP utilities and services
Telnet commands
Terminal Services commands
Tftp
Time
Title
Tracerpt
Tracert
Tree
Type
Typeperf
Unlodctr
Ver
Verify
Vol
Vssadmin
W32tm
Winnt
Winnt32
WMIC overview
Xcopy

 

 

SMB Scanning Error, FTP Workaround

Wednesday, June 30th, 2010

Recently we had a problem connecting a CanoniR3300i SMB network scanner to client workstations, as the office had no server. Users could print without a problem, but were unable to receive scans. This SMB problem had flummoxed two other techs before we were called in, and the ultimate cause remains evasive even now.

 

In order to get the client up and running, however, our senior tech implemented a quick and relatively easy fix: Downloading Filezilla Server (available at http://download.cnet.com/FileZilla-Server/3000-2160_4-75123212.html?tag=mncol) to one of the client machines and adding an alternate profile with sufficient local authorization allowed other workgroup machines to access the shared scan subfolders once they were mapped to that folder without using SMB. FTP scan profiles on the Canon were pointed to the individual host machine subfolders to allow users to retrieve their scans.

 

While imperfect and hopefully only temporary until the clients purchase a server, this quick workaround provides a viable short-term alternative for anyone in a similar position.