View Attach Info

Add new attachment

Only authorized users are allowed to upload new attachments.

This page (revision-8) was last changed on 02-Apr-2025 01:25 by Ben Spink

This page was created on 01-Apr-2025 14:11 by Ben Spink

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 5 changed one line
How to detect:\\
How to detect (no magic scenario to detect...):\\
At line 7 changed 6 lines
no magic bullet...but if your log has AWS4 in it...
if you see a new crushadmin2 user...
new random GUID looking usernames...
You had not already updated to 10.8.4 or 11.3.1 before March 26th....
we believe weaponization started around 3/28 from seeing logs from customers.
logs containing (CONNECT) likely indicate compromise as this is text only for admin users.
if your log has AWS4 in it...
if you see a new crushadmin2, zero, system, long GUID usernames, others users you don't recognize...
You used our default username of "crushadmin"...
You had not already updated to 10.8.4 or 11.3.1 before March 27th....
We believe weaponization started around 3/28 from seeing logs from customers.
Logs containing (CONNECT) likely indicate compromise as this is text only for admin users...creating of a new user.
Your server was updated to 10.8.4+ and you don't recall doing it...(hackers do this to hide the fact they already compromised you...)
At line 27 added 2 lines
Cloudflare might indicate a compromise when it sees certain things occur...but you were likely compromised much earlier
hackers install their backdoor...then update your server so you believe you are patched and safe. But if you didn't do the update yourself, and before March 27th, you are not safe and were probably compromised
At line 42 added 3 lines
Implement trusted IPs for admin actions in preferences, banning.
Use a different username besides crushadmin
If you are an enterprise customer, utilize a DMZ instance in front of your CrushFTP and enable MFA.
At line 46 added 2 lines
How to do an offline update: [OfflineUpdate11] or [OfflineUpdate10]
Version Date Modified Size Author Changes ... Change note
8 02-Apr-2025 01:25 2.775 kB Ben Spink to previous
7 02-Apr-2025 01:09 2.639 kB Ben Spink to previous | to last
6 02-Apr-2025 00:52 2.651 kB Ben Spink to previous | to last
5 01-Apr-2025 15:52 2.439 kB Ben Spink to previous | to last
4 01-Apr-2025 14:36 2.402 kB Ben Spink to previous | to last
3 01-Apr-2025 14:25 2.331 kB Ben Spink to previous | to last
2 01-Apr-2025 14:14 1.912 kB Ben Spink to previous | to last
1 01-Apr-2025 14:11 1.818 kB Ben Spink to last
« This page (revision-8) was last changed on 02-Apr-2025 01:25 by Ben Spink
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
Update

JSPWiki