Follow us

Over 97k non-protected FTP servers don’t have passwords

FTP protocols are regularly hacking to obtain information and lateral movement

Published: November 15, 2021 By Darina Shramko

Title image for FTP server is a serious threat to data security

Image source – dracoon.com

Hello cyber enthusiasts! The Cooltechzone team strives every day to keep you updated on the latest news in information security and show by example that cyber security is available to everyone.

You have already learned how to scan the entire Internet in a few minutes, learned about the vulnerabilities in Joomla and WordPress, and also figured out how your router can spy on you.

It's time to move to a high level! Today we will talk with you about the features of port 21. Do we bet many of you didn't even know about its existence? It's in vain, for it's better not to keep this port open; otherwise, your data will easily leak onto the Internet.

I did an independent study, which found that there are 97,377 open ports to date! As you might have guessed, the United States is the undisputed leader in these disappointing statistics. Hundreds of thousands of servers are at risk right now, so my job is to keep you and your data safe and secure against hackers.

Today I will tell you why the FTP port cannot be trusted and filter empty requests in Shodan. Let's go; it will be interesting!

Disclaimer: We in no way urge our readers to hack and other illegal actions! All information in this article presents solely to show how vulnerable user data can be and how to protect confidential information from unauthorized access.

Search for open FTP servers

It is no secret that some file servers are open source. They are pretty easy to find and use for your purposes with the help of the Shodan hacker search engine. Let me show you how.

First, open Shodan and enter the following query:

230 login successful" port: "21"

Now there are 97, 377 open ports!

At the time of this writing, 97,377 results have been found. An impressive number, isn't it? Not surprisingly, the United States has become the leader in open FTP.

By the way, if you want, you can filter the results by operating system and product. The Linux 3. x, Linux 2.6.x, and Windows XP are trendy among hackers; products include vsftpd, Pure-FTPd, pyftpdlib, Microsoft ftpd, and ProFTPD.

Of course, in addition to the valuable FTP servers, Shodan has a lot of dummies. Therefore, to optimize the search and find only genuine FTP servers, hackers write special software that connects to the FTP server and analyzes the directories' presence and sizes.

Thanks to such an optimized search, the hacker will receive a complete list of FTP servers, which will bring good income to cybercriminals in the future.

For more accurate results, I suggest looking for specific devices.

For example, you can use the following header, 220 Welcome to Asus FTP service, to get information about Asus devices.

Check it out; it works! Just enter the following query into Shodan:

230 login successful" "220 Welcome to Asus FTP service" port: "21

Search results for Asus devices

As you can see, we got a pretty good result. Here is a list of genuine devices that you can work with it. The list of devices can also be significantly expanded.

To better understand the search results, I recommend that you first look at RT-N10U, RT-AC86U, RT-AC56U, RT-N66U, RT-AC66R, RT-AC66U_B1, RT-AC68U, and RT-N18U. You can find and see which headers are used for successful authorization without a login and password.

See how I did it:

220 Welcome to ASUS RT-AC68U FTP service" "230 Login successful

Asus RT-AC68U device results

We received accurate information about specific devices; hackers use this data for personal gain (sell data, hack devices, blackmail, etc.).

What is an FTP server?

In short, an FTP server is a computer for storing files. It is part of a local or worldwide network, and according to specific rules, remote access of visitors organized to it, who can download and upload files.

FTP is an old protocol that dates based to 1971. Since then, although its essence has remained the same, it has changed significantly − a separate connection for data transmission appeared, and numerous control commands were provided that were not there before.

FTP servers have certain features that distinguish them, from web servers, for example:

  • •use of a separate channel for each connection
  • •support for binary (binary) and text modes of information transfer
  • •the need for user authentication
  • •the ability to determine the types of files to be transferred

FTP servers have a drawback − they are poorly protected from hacking attempts. Despite this, by now, they are perhaps the most popular solution for remote file transfer.

The principle of operation of the FTP protocol

A feature of the FTP protocol is multiple connections. One channel plays the role of a manager, through which the server receives commands and returns responses (as a rule, through port 21).

A little later, I will tell you about the features of port 21, but for now, let's figure out how the FTP protocol works.

So, before starting to work with the protocol, the client device opens a session. Throughout all further work, it remains open - the server "remembers" the session's state.

There are two modes in which the protocol can operate:

  • Active. The client device initiates a control connection and sends its IP address to the server. The client also sends the server the port number on which it will receive data. After receiving this information, the FTP server opens a connection with the parameters specified by the client node. The session is opened, and the file transfer begins
  • Passive. Used when a firewall protects the client. In this situation, it cannot accept an incoming connection from the FTP server. The issue is resolved by sending the PASV control command to the server. The server, having received it, sends the client its IP address, as well as the port number. In turn, the client, having received this information, generates a connection to the server itself. A session is opened, and file transfer begins

The exchange of information between the server and the client via the protocol can take place in the following modes:

  • Streaming. Information flows between client and server in a continuous stream; the protocol does not process it in any way
  • Blocky. The protocol divides the flow of information into blocks (header, volume, data)
  • Compression mode. Algorithms compress the information before transmission

FTP server algorithm

Image source – miro.medium.com

The FTP server uses username/password client authentication. The client device sends this data, the server checks it, and if a match is found, it sends an invitation to the client. You can also organize anonymous access to the server ─ without providing a login and password.

Earlier, I mentioned that FTP servers are poorly protected from hacking, so FTPS and SFTP were released to improve the security of the FTP protocol.

How to check port 21?

Follow my simple guidelines:

1. Open the system console and enter the following line: telnet yourdomen.com 21

Be sure to include your domain name! This command applies to all operating systems.

2. If port 21 is not blocked, a 220 response will appear. Note that this message may look different:

220 FTP Server ready

3. If there is no response 220, it means that FTP port 21 is blocked. In this case, we recommend that you contact your ISP to open the port.

But what if you can't check the connection, and instead of the 220 response, you see an error message? The thing is that your Telnet Client is disabled. Don't worry; I'll tell you now what it is and how to enable it!

How to enable Telnet Client

Since the Telnet command tests the connection, you need to ensure that the Telnet client enables your operating system. So, telnet is a client-server protocol that provides remote control of computers.

In our case, it will help us check the connection to FTP port 21. See how you can enable the Telnet client in Windows:

1. Press the Window + R keys simultaneously, then type control to open the control panel.

Opening control panel

2. Go to Programs -> Programs and Features. Select the Turn Windows features on or off.

3. In the new dialog box, check the box next to Telnet Client and click OK.

Telnet Client enabling

4. Restart your PC.

To access FTP servers, you might use FTP clients − special programs. There are many of them, and they can also be built into file managers and operating systems. I can recommend FileZilla, Total Commander, WinSCP, and FAR Manager among the free and available ones.

Indeed all of you have used Total Commander at least once. This utility has been known to us since early versions of Windows OS.

But you have hardly heard about other utilities from this list, so now I will show you how to connect to an FTP server using one of the above programs.

How to connect to the FTP server

I suggest you use the free FileZilla utility. The application is available for all operating systems and has an intuitive user interface.

So, let's start!

First, you need to specify the IP address. You can take any of the found IP addresses to Shodan and check how the FileZilla utility works. I assure you that you will find a lot of exciting things.

Then, click on the Quick Scan button.

As a result, you will get the directories that are available on the FTP server. In my screenshots, you can see the real possibility of finding open FTPs in a few minutes:

Results of FileZilla scanning

You can see configs, backups, accesses, accounts, downloads, customer data, documentation, photos, and other confidential information among the files found.

To find the information they need, hackers use corporate FTP, where you can find something exciting (as a rule, such information costs a lot of money).

Hackers are not interested in personal FTPs; as a rule, personal photographs are stored there, which can hardly be sold for a high price.

How to close vulnerable ports in Windows?

To date, Windows is considered the most vulnerable OS because of its popularity and massiveness. Indeed, Windows has a more straightforward user interface than Linux, for example.

It is believed that more than 80% of parasitic traffic goes through 4 ports used for data exchange between different versions of Windows OS. The most vulnerable open ports on Windows are:

  • TCP port 445 (it is used for file exchange)
  • TCP port 139 (designed for remote connection to a computer)
  • UDP port 137 (used to search for information on other computers)
  • TCP port 135 (command jobs are executed through it)

So how do you close these ports?

For this, I recommend that you use the command line.

The Windows command line sets values for those system settings that do not have a graphical interface. These functions include the considered open connection ports.

So let's get started:

1) Press the Win + R keyboard shortcut. In the command execution window that appears, type cmd and press OK

2) Copy the lines below into it one by one and press the Enter key:

netsh advfirewall firewall add rule dir = in action = block protocol = tcp localport = 135 name = “Block1_TCP-135”

netsh advfirewall firewall add rule dir = in action = block protocol = tcp localport = 137 name = “Block1_TCP-137”

netsh advfirewall firewall add rule dir = in action = block protocol = tcp localport = 138 name = “Block1_TCP-138”

netsh advfirewall firewall add rule dir = in action = block protocol = tcp localport = 5000 name = “Block_TCP-5000

Closing vulnerable ports

These six commands close the four most dangerous open Windows ports listed above, port 5000, which is responsible for discovering open services, and UDP port 138 of NetBIOS name resolution.

I also want to note that closing the most dangerous network ports on a computer does not guarantee the maximum security of the operating system. To always stay safe, you need to regularly install critical Windows OS update packages, use antivirus programs, safe browsers, and VPN.

Conclusion

Today you are once again convinced of how vulnerable and insecure the Internet can be. You need to follow specific rules so as not to fall for the bait of hackers and scammers who need information about you.

Now you understand why it is dangerous to leave ports open and how easy it is to access file storage.

You cannot risk your Internet security because the consequences can be irreversible.

I hope you are inspired and have already tried my practical recommendations in practice! Sometimes, to protect yourself, you need to apply the reverse method and make sure from your own experience that the system is vulnerable. That is what we have done today with you.

Please let me know if you enjoy our cyber experiments? What topic would you like to talk about next time? Feel free to write your opinion in the comments − I will consider all your wishes!

Close ports and take care of yourself!

Author
Darina Shramko
Cybersecurity specialist and researcher.

Leave a comment

click to select

1 comments for Over 97k non-protected FTP servers don’t have passwords

Daniel's picture
Fearfully

We need to be more careful and see who we provide information to !!