• 300,000 Instances of Data Leakage

    Websites are the new battleground between malicious hackers and the general public. Malicious individuals and organizations use websites as a conduit for spreading malware. More than 6,600 otherwise benign websites are compromised every single day. One of the primary enablers of this kind of compromise is the amount of publicly available data about a website, which makes the job of a malicious hacker easy.

    In this post we will show how sensitive information about more than 300,000 websites is easily accessible on the Internet. This sensitive information is related to the file system, user names and other critical information which could be used to compromise the security of websites.

    What Type of Data is Leaked?
    This post focuses on the immense problem of data leakage and how it affects thousands of websites on the Internet today. Data leakage from websites can be categorized in two major groups.

    • User information: Data related to transactions such as credit card information, user information like site subscriber email(s), etc.
    • System information: Data related to ownership of a site, system level details such as Operating System vulnerabilities, and web application vulnerabilities, all of which can help a malicious hacker break in easily.

    Unfortunately, it is extremely easy to identify system information, as we show next.

    How is the Data Leaked?
    A popular and widely deployed FTP client, WS_FTP makes it extremely easy to transfer files using FTP. One drawback of using this popular piece of software is that it usually creates a log file. Most administrators using this software may not pay attention to this default behavior. These log files contain sensitive information such as file source and destination, file name, date and time of upload and more.

    More importantly administrators do not realize that when they upload files using this software to their websites, this log file is uploaded and made publicly available. This is the starting point for a malicious hacker gain sensitive information about a website. This issue has been well-known for years now, yet it continues to be pervasive. [1] [2]

    To identify websites with this type of data leak on the Internet, one only needs to use the below search term in a popular search engine.

    inurl:WS_FTP.LOG
    

    This type of data leak is even present on a very large American news network’s website.

    100.02.01 15:28 B L:\content\interactive\virtual\.HSancillary --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual .HSancillary
    100.02.01 15:28 B L:\content\interactive\virtual\360.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual 360.txt
    100.02.01 15:28 B L:\content\interactive\virtual\3d.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual 3d.txt
    100.02.01 15:28 B L:\content\interactive\virtual\champagne.buying.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual champagne.buying.txt
    100.02.01 15:28 B L:\content\interactive\virtual\champagne.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual champagne.txt
    100.02.01 15:28 B L:\content\interactive\virtual\elex.features.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual elex.features.txt
    100.02.01 15:28 B L:\content\interactive\virtual\hurricane.info.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual hurricane.info.txt
    100.02.01 15:28 B L:\content\interactive\virtual\prim.polls.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual prim.polls.txt
    100.02.01 15:28 B L:\content\interactive\virtual\prim.results.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual prim.results.txt
    100.02.01 15:28 B L:\content\interactive\virtual\town.meeting.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual town.meeting.txt
    

    Data Leaked from the WS_FTP Log
    What can we tell from the information in the logs?

    • Usernames and Logins
    • Website names
    • IP of the websites from the Website names
    • Host name
    • IP of the server from the Host name
    • Directory structure on the server side
    • Directory structure on the client side

    How to Mitigate the WS_FTP Data Leak?
    Prevent the log file from being created:

    1. Click [Options]
    2. Click [General]
    3. Uncheck [Enable log]

    Conclusion
    It is clear that data leakage is a big problem on the Internet. Popular software like WS_FTP allows sensitive information to be leaked unwillingly, helping a malicious hackers to break in. More than 6,600 benign websites are compromised everyday, don’t let your website be one of them. For more information about how we can help you, please feel free to visit our services page.