

<pre>
March 21st vulnerability CVE-2025-31161 or the copy cat CVE which triggered the compromising of servers: CVE-2025-0282\\
\\
We will do our best to update this page in the next few weeks to give insights into ways to know about a compromise from what we have seen.\\
\\
How to detect (no magic scenario to detect...):\\
{{{
if your log has AWS4 in it...
if you see a new crushadmin2, zero, system, long GUID usernames, others users you don't recognize...
You used our default username of &quot;crushadmin&quot;...
You had not already updated to 10.8.4 or 11.3.1 before March 27th....
We believe weaponization started around 3/28 from seeing logs from customers.
Logs containing (CONNECT) likely indicate compromise as this is text only for admin users...creating of a new user.
Your server was updated to 10.8.4+ and you don't recall doing it...(hackers do this to hide the fact they already compromised you...)
}}}

We have seen:\\
{{{
custom jar files installed into CrushFTP so custom code is now running.
custom dll's being installed into system32 of windows...so the OS is running custom code
custom settings changes being made to windows configuration
additional random GUID style usernames being created
downloading of all files and certificates they can access
new admin usernames being created
disabling of existing admins
limiting of IPs that can do admin actions in order to create more problems for real admins
executing other processes to scan for more items on the network
Cloudflare might indicate a compromise when it sees certain things occur...but you were likely compromised much earlier
hackers install their backdoor...then update your server so you believe you are patched and safe.  But if you didn't do the update yourself, and before March 27th, you are not safe and were probably compromised
}}}

Steps we recommend you do to resolve and get back to normal:\\
{{{
Remove CrushFTP from the network.
Make a backup copy of the CrushFTP folder.
From the date 3/28 onwards things should be suspicious.
Export the User Usage report to understand recently created users
Run the audit summary report, make note of actions especially from the suspicious users
Restore your entire server from before the compromise date...3/27 to be safe.
Update CrushFTP.jar before you take it online, or follow our offline instructions.
Reset all passwords especially if you were not using hashing.
Analyze your reports and CrushFTP.logs for odd activity.
Implement trusted IPs for admin actions in preferences, banning.
Use a different username besides crushadmin
If you are an enterprise customer, utilize a DMZ instance in front of your CrushFTP and enable MFA.
}}}

How to do an offline update: [OfflineUpdate11] or [OfflineUpdate10]

</pre>