Internet Security: Preventing Web Server “Hijackings”

By Dr. Seamus Phan

Way back in 1994, when the Internet became commercialized in Asia, we set up our first Web site, running on a secure BSD Unix server. However, not long after, we discovered that anonymous FTP sessions began, and megabytes of unknown files were deposited into the /incoming directory.

Soon after, my colleague Danny and I changed the server to allow administrator access, segmented the server for httpd processes, and wrote a script that moved any incoming file automatically so that the “bandwidth or ftp hijackers” could not use our server for illicit uploads and transfers. Since then, nothing more happened.

Vidz & Wrz Pirates

Many sites and servers these days face ftp hijacking, and according to many postings by Web masters, they have discovered that the uploaded files tend to be hundreds of megabytes in size, typically with the type DIVX and MPEG-1 (in VideoCD format).

Worse, some sites were bombarded simultaneously from various locations (several European locations) with all 50 connection sockets absorbed for uploading.

From casual observation, it would appear that bots were used for such hijacking, since the speed of connection attempts and directory hierarchy setups seem too calculated and speedy for real humans. The main culprits, reported by many Web masters, seemed to be universities (presumably college students hiding behind university connections) and cable modem or ADSL users (with transient domains).

What do you look for to determine if your FTP server has been compromised by pirates and hijackers? Here are some signs:

If there are invisible directories beginning with “.”. Many FTP clients hide these directories, and if you are not set up to view them, you may not know either. However, there are certain directories beginning with “.” that are legitimate and are usually system-related.

Some pirates create directories that begin with the structure “”, which are not obvious when you view “.” and “..” directories.

Pirates may sometimes misspell words, in line with the underground cracker culture, with words that begin with “f” are replaced with “ph”, and “s” words are changed to “z”.

You may also encounter strange, seemingly meaningless numbers for file names. These may be disguised. For example, “31337” is actually the word “eleet” (which in turn means “elite”).

Some files and directories may have common abbreviations, such as “wrz” for wares (or software), “appz” for software applications, “vidz” for videos, and “vcdz” for VideoCDs.

Shielded FTP

FTP hijacking not only creates security breaches but also reduces your bandwidth. There are several known ways to protect your enterprise.

First, disallow anonymous uploads. If you need to provide legitimate access by FTP, hand out user names and passwords to your user base. Otherwise, provide http downloads without FTP.

Since FTP servers may send passwords over the Internet without encryption, you may want to use SSH to provide secured access. As much as possible, disallow remote telnet sessions as telnet is a favorite tool for password hijackers to exploit. Hijackers use a variety of packet sniffers to sniff out passwords.

If you still must run some kind of FTP service, you may also change the default port number from 21 to something higher than 10000. This will create complexity for automatic bots that comb the Internet for accessible FTP servers.

You could also change your OS or update it. Many older versions of OSes can present exploits. This goes for Unix, Linux, freeBSD, and Windows.

On the other hand, if you are running an IBM AS/400 server, for example, it is unlikely that the remote intruder would have such systems to toy with, much less exploit. Also, if you can, set up a gateway firewall (not just a packet filter, but a stateful inspection one), and if not, firewall the FTP server itself.

Finally, the best test is to try exploiting the server yourself using “security audit” tools available on the Internet. You may be surprised how many holes there are.

Dr. Seamus Phan is a world-renowned authority on the technical security aspects of the Internet. Dr. Phan serves the BWW Society as Founder and Chairman of the Internet Security Committee, which is designed and conceived to gather and share information on the latest computer and Internet threats, to provide immediate information on technology’s newest developments in the prevention of Internet-relat ed security problems, and to increase and enhance all forms of Internet Security.

[ back to "Publications & Special Reports" ]
[ BWW Society Home Page ]