[Security] FTP Notification System


Wednesday, October 28th, 2009 - Security

AMS is proud to introduce a new feature for all of our cPanel accounts. Now you will be notified whenever someones logs into FTP on your account. You will be notified via e-mail at the contact address you have specified on your account. For information on updating your contact information, see our previous post on this topic.

Below we have addressed some frequently asked questions regarding this system.

Why did you start this system?

Lately we have been seeing a lot of accounts becoming compromised due to FTP hijacking. Some how, some way hackers learn your FTP login credentials. They then FTP into your account and upload malicious material or deface your website. Common ways that hackers attain this information is due to malware on an end-user’s computer or outdated scripts installed on a website. While this system will not prevent these hackings, it will serve to notify you when someone access your FTP account and can therefore notify you whenever there is unauthorized access to your FTP account.

How am I notified?

Notifications are sent to the e-mail address or addresses you have set up as contact addresses on your account. You should insure that this information stays up-to-date so that you can be aware of any unauthorized access. If you do not have a contact address set up or if your contact address is set to an e-mail address that you no longer check, then you will not be notified of FTP connections on your account.

The message that you will receive will look something like:

FTP Notification Message

The Time, IP, and FTP User may differ.

I just received an FTP notification message, should I be worried?

That depends. Did you or someone you have authorized recently connected to your FTP account? If you recently logged into your account’s FTP then you should not be alarmed by this message. If you recently logged into FTP account, then this is a legitimate FTP login and can safely be ignored. Because the system cannot determine what is a legitimate FTP connection and what is not, a message is sent for all FTP logins (hackers and malicious users do not log in any differently than you do).

If you have given your FTP information out to someone else or if you have other FTP users on your account, then you will be notified when they log into FTP. Again you have to be the judge to determine whether or not that login is legitimate or not.

One key piece of information to look at is the IP address in the FTP notification:

IP: xx.xx.xx.xx (US/United States/-Hostname-)

This gives the IP address, the hostname that the IP address resolves to, and the country that is associated with that IP address. If the country is a foreign country and nobody from a foreign country should be accessing your account, then this might be cause for concern. The hostname can usually be used to identify the ISP associated with the connecting user, again this can be used to identify whether or not a connecting user is legitimate or not. This should not be used as the sole arbiter for determining legitimacy of a connection, but it can play a role.

How do I know if a login is legitimate or not?

Again, this depends. Have you given your FTP login credentials out to anyone? Is anyone else suppose to be making changes to your website? You, as the owner of the account, are the only person that can make that determination. If you have other individuals that are suppose to be accessing your account, you may want to contact them and see if they have recently accessed your account via FTP.

I am seeing a lot of FTP connections from my IP address, but I am not FTPing into my account.

Do you have any automated systems that automatically connect to your account? For example, do you have an automated system that automatically uploads webcam images to your account? Any type of automated system that logs into your FTP account will register as an FTP login. If this is the case for you, then you can safely ignore these messages.

Are Virtual FTP users also notified?

Yes, virtual FTP users are also included in this notification. Virtual FTP users are FTP usernames that are identified as someuser@yourdomain.com. If someone logs in with one of these FTP usernames, you will receive an FTP notification message.

I connect to my FTP account several times a day, won’t this fill up my Inbox?

The system is designed to only send a notice once an hour per FTP user per IP address. This means that if you first connect to your FTP account at 8:11, then you will receive an FTP login notification. If you login from the same computer (same IP address) as the same FTP user at 8:26, 8:37, and 8:43 you will not receive a notification for those logins. You won’t receive another FTP login notification until 9:11.

Keep in mind, the purpose of this system is to keep you informed so that you will know if any unauthorized FTP activity is taking place on your account. In order to perform this service, the system has to notify you of every unique FTP login. The system cannot know who is authorized and suppose to be accessing your FTP and who is not (no matter how smart they try to make computers).

The Time of the FTP connection appears to be off.

While it is possible that the e-mail notification could be delayed somewhere along is way to you, you may want to look at the time stamp on the FTP connection:

Time: Oct 27 13:02:12 CDT

The Time is stamped with the timezone of the server, in this example CDT (Central Daylight Time) is used. If you are living on London, GB then you are likely running on GMT time. CDT is 5 hours behind GMT, so while it is 13:02 CDT it would be 18:02 GMT. This may coordinate with your time system.

Can I filter these messages out so as to not clutter my Inbox?

While this isn’t recommended, this can be done. See our post concerning this matter.

As always, any questions or concerns can be raised by submitting a support ticket at:

http://www.amshelp.com

Steven