⚠️ Overview

BatchFTP is a malicious automated FTP brute-force and directory traversal exploitation tool first documented in underground security forums in 2012, with several variants appearing in threat reports from Unit 42 and Talos Intelligence. Its primary maintainers are unknown, but code samples analyzed by the MalwareHunter team reveal it is a derivative of earlier Perl-based FTP scanners, repurposed for credential stuffing and web server file access attacks.

🔧 Technical Capabilities

BatchFTP executes dictionary-based FTP login attempts against target servers, using common username and password lists sourced from breached credentials and default manufacturer credentials. It also performs recursive directory listing to locate sensitive files such as wp-config.php, .env, backup.sql, and passwd, downloading any it can access. The tool supports multi-threaded scanning, often configured with 50–100 concurrent threads, and can cycle through proxy lists retrieved from public SOCKS5 proxies to evade IP-based blacklisting. Some variants incorporate a vulnerable software version detection module, flagging FTP servers running outdated vsFTPd or ProFTPD versions for follow-up exploitation using known CVEs like CVE-2011-0762 and CVE-2015-3306. Command-and-control communication is typically absent; instead, BatchFTP writes collected files to local disk and may exfiltrate via built-in SMTP modules or FTP upload to a staging server.

📜 History & Notable Incidents

First detected in the wild in late 2012, BatchFTP was used in a large-scale campaign against shared hosting providers, leading to over 15,000 websites being defaced between 2013 and 2014, as documented by the Sucuri Research Team. In 2016, a variant was implicated in the compromise of a European cloud provider’s administrative FTP servers, exposing customer backups containing PII. No official CVE entries exist specifically for BatchFTP, but it leverages multiple CVEs in conjunction with its brute-force capabilities.

🔍 Detection Indicators

Unique User-Agent strings associated with BatchFTP include Mozilla/5.0 (compatible; BFTP/1.0; +http://batchftp.sourceforge.net) and FTPBrute/2.3, though many modern variants spoof legitimate browsers. Behavioral indicators: rapid sequential FTP login attempts from a single IP (50+ in under 60 seconds); repeated DIR commands in non-standard order; simultaneous downloads of multiple common config files like .htpasswd and web.config. Traffic patterns often show bursts of FTP RETR commands for etc/passwd variants, followed by immediate QUIT.

☠️ Risk & Impact

BatchFTP allows attackers to acquire login credentials for other services (e.g., database passwords stored in config files), gain unauthorized access to web application backends, and exfiltrate sensitive business data or customer PII. A successful attack can lead to full server compromise, defacement, data breach liability, and blacklisting of the affected IP range.

🛡️ Mitigation

BatchFTP is blocked immediately on detection because its automated brute-force and file-theft capabilities pose an unacceptable risk of credential disclosure and data exfiltration, even with low success rates. Immediate IP blacklisting and rate-limiting on FTP control plane are enforced.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.