FTP account being hacked but not damage done mystery story

Question

My friend’s webserver has been hacked, but nothing was compromised. Here is my daily Sherlock Holmes story:

My friend’s hosting provider sends an email that they 200ed all files on his server because they found compromising FTP log entries. My friend never used his FTP access but instead assembled his site with sort of a frontend construction kit. So we have no clue how that FTP password leaked out. Now the files generated by that construction kit are static HTML files, nothing dynamic except for some JS files that support flash inclusion. Looking at the files I see nothing unusual; we told the hosting provider, they agreed, 644ed all files again, site is up again.

And this is the log they sent us:

ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PASS (hidden)" 230 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "TYPE I" 200 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "SYST" 215 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PWD" 257 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PWD" 257 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /somecontenfolder" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PASV" 227 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "STOR /somecontenfolder/live_tinc.js" 226 4931
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PASV" 227 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "STOR /somecontenfolder/runActiveContent.js" 226 921
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PWD" 257 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /somecontenfolder/images" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PWD" 257 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /somecontentfolder/images/static" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PWD" 257 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /somecontenfolder/images/dynamic" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PWD" 257 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /somecontenfolder/colorschemes" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PWD" 257 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /somecontentfolder/colorschemes/colorscheme1" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "CWD /" 250 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "PASV" 227 -
ftp.log:.....[03/Feb/2014:16:55:59 +0100] "STOR /somecontentfoler/main.css" 226 7363

So the best guess I am coming up with is:

This FTP account was indeed hacked, prob. by brute force. The speed in which the FTP commands are issued certainly points to a bot. That bot walks the directories, but doesn’t do anything/any damage - was probably looking for PHP files which don’t exist here.

Does anyone here have similar/other insights when seeing and reading this? Maybe a similar experience?

Answer 1

If you are asking what it is doing, I would guess that the bot hasn't met the preconditions for it to do damage. It could be looking for any number of things that might gain it further access to your computer.