Tag Archive for FTP

Hackers spy on Corporate networks via emails and FTP


Chinese security firm Qihoo 360 reported that since December 2019, a miscreants group has been hacking into DrayTek enterprise routers to record and spy on FTP ( File Transfer Protocol) and email traffic inside the corporate network.


Netlab the network security division of Qihoo published a report saying, they detected two different groups, each one exploiting a zero-day vulnerability in DrayTek Vigor-
  • Attack Group A - using load-balancing routers and 
  • Attack Group B - using VPN gateways. 

Qihoo did warn DrayTek about their zero-day vulnerability but the message was sent to the incorrect receiver and could not reach DrayTek. 

Although the company did learn about the zero-days but only after group B attacks in January and released the patches on February 10. The attacked models are discontinued routers, still, DrayTek released their patches as soon as they could. 

Qihoo reported the attacked models - DrayTek Vigor 2960, 3900, and 300B and said only 10,000 of these (active number) are running the vulnerable firmware version. 

 The Attack Groups

  • Attack Group A -
Amongst the two groups, Attack group A is quite ahead and advanced. 

It exploited a vulnerability in the RSA-encrypted login mechanism of DrayTek routers to insert malicious code in the username login fields through which the hackers could control the router. 

Now, the hackers could have used this access to launch DDos attacks or more but they used it as a spy device to record traffic coming over FTP and emails.

The recorded scripts were then uploaded to a remote server every Monday, Wednesday, and Friday at 00:00.Zdnet reports they recorded the data to access the login credentials of FTP and corporate email accounts. 

  •  Attack Group B -
Qihoo named the second group of hackers as "Attack Group B". The second group used a different zero-day vulnerability, first disclosed by Skull Army blog in a 26 Jan post. The bad actors read it from the blog and began exploiting it in mere two days.

Zdnet reports, "Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the "rtick" process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown".

enable passive mode in VSFTP

ftpFTP hangs or throws these error after a successful login.

Vsftp – ftp: connect: No route to host

This is because the FTP-data port is blocked by a firewall.

1. Make sure that passive mode is enabled (vsftp enables it by default). Check the file /etc/vsftpd/vsftpd.conf, for the following lines

 pasv_enable=YES

2. Also check whether the passive port range is open in the firewall. You can limit the port, for example 10000 to 11000, by adding the following lines in the file ‘/etc/vsftpd/vsftpd.conf’.

pasv_min_port=10000
pasv_max_port=11000

3. Restart vsftp service in server

service vsftpd restart

4. Open the specified port range in the firewall (Iptables) too.

-A RH-Firewall-1-INPUT -p tcp –dport 11000:11010 -j ACCEPT