What at first glance appears to be an isolated technical incident turns out, on closer inspection, to be a striking example of a widespread risk. Outdated and inadequately secured basic services continue to be an attractive gateway for attackers. The recent incident highlights not so much an individual failure as a structural challenge faced by many organizations, especially those where mature infrastructures and ongoing operations make regular security checks difficult.
Last week, our team discovered a real, active attack on a customer that exploited a classically misconfigured FTP infrastructure. The attacker combined simple but effective techniques such as banner grabbing, anonymous login, and directory traversal to gradually gain deeper access to sensitive data. The incident exemplifies how low the barriers to entry are for attackers when basic security mechanisms are missing or no longer up to date.
The incident
The attack began with a simple Nmap scan analysis, which identified an openly accessible FTP service on port 21 within the customer’s network. The target system was running ProFTPD 1.3.5, an outdated version with known security vulnerabilities. Among these was the CVE-2015-3306 vulnerability, which allows attackers to access the server without authentication under certain circumstances. Such known vulnerabilities are publicly documented and actively exploited in an automated manner, often long after the relevant updates have been available.
The attacker discovered an openly accessible FTP server and logged in without a password because anonymous access was enabled. This gave him immediate access to the stored files and allowed him to download large parts of the server, including sensitive data. He then used technical tricks to move outside the actually shared folders and gained access to other directories that were not supposed to be public. Finally, the attacker attempted to use the server as a “springboard” to explore the internal network and find other accessible systems, a typical next step in expanding an attack.
This incident should therefore not be seen as an isolated case, but as a clear warning: exposed legacy services are a preferred target and deserve special attention before they are discovered by attackers.
Our team’s response
After discovering the attack, our team responded immediately and initiated an active response measure. The affected FTP server was isolated from the network within minutes, effectively preventing further access and possible data exfiltration. At the same time, we communicated transparently with our customer about the immediate measures taken. In close coordination, sustainable hardening measures were then implemented on the customer’s side.
Our recommendations for action:
If you operate an FTP server, whether for internal or external use, follow these steps to make your systems more secure:
- Disable anonymous access: Only authorized users should be granted access. No “anonymous:anonymous”!
- Use SFTP or FTPS instead of plain FTP: Encrypted connections prevent passwords and data from being intercepted.
- Update your FTP software regularly: Outdated versions such as ProFTPD 1.3.5 or VSFTPD 2.3.4 are often targets of attacks. Keep your software up to date.
- Restrict access via firewall rules: Only allow known, internal IPs. Block all external connections that are not necessary.
- Enable logging and monitoring: Every login attempt must be logged.
- Protect against directory traversal and FTP bounce attacks: Disable dangerous commands such as “PORT” and “EPRT” when they are not needed. Check whether your software blocks such attacks.
- Perform regular security audits: Use tools such as Nmap (“–script=ftp-anon,ftp-brute,ftp-bounce”) or Metasploit to identify vulnerabilities yourself before an attacker does.
Conclusion
Away from headlines about complex attack campaigns, many security incidents occur where technical fundamentals have remained unchanged for a long time. Outgrown infrastructures, outdated services, and a lack of hardening often provide attackers with exactly the attack surface they are looking for. FTP is fundamentally insecure—but even an established standard service can become an open door if it lacks modern security measures and clear access restrictions.
At Certified Security Operation Center GmbH, we see our role not only in identifying such situations, but also in taking active measures. Quick decisions and targeted actions make the difference – not only after damage has occurred, but at the very moment when it can be prevented.