Password file has been hacked and used by a virus

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Message
Author
alphonse777
504 Command not implemented
Posts: 6
Joined: 2009-04-09 19:18
First name: Alphonse
Last name: Daudet

Password file has been hacked and used by a virus

#1 Post by alphonse777 » 2009-04-09 19:40

Hi all,

It took me some time to investigate, but I don't see another way, but I'm sure of the following about filezilla, my filezilla password file has been hacked by a trojan and given to a third party pirate...

All my web site I'm taking care of have been hacked and the ONLY place where the hacker could find the password was coming from Filezilla where all the password where stored in this place and only in this place.

I'm using filezilla client 3.2.3.1 and the hacker inserted the following script on each on my html files :
....
document.write(unescape('pZ%3CscPr
.....
of my four web sites !!

So I think the policy of having the filezilla passwords into a uncrypted password is foolish !

After 15 years of computing, (and I'm a Win32 programmer), this is the first time I got hacked....

is there a way to overcome filezilla password from being hacked so easly ?

Thanks

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Password file has been hacked and used by a virus

#2 Post by botg » 2009-04-09 20:14

Don't store passwords and most importantly, do not use Windows.

alphonse777
504 Command not implemented
Posts: 6
Joined: 2009-04-09 19:18
First name: Alphonse
Last name: Daudet

Re: Password file has been hacked and used by a virus

#3 Post by alphonse777 » 2009-04-09 20:30

Don't store passwords and most importantly, do not use Windows.
Thanks , first part of the reply can apply ... bu could you remember alll your passwords ?? Me not, sorry...
Second related to windows, can definitively not apply...

Why not crypting this file using 1024bit key ?

The files are stored here :
C:\Documents and Settings\Administrator\Application Data\FileZilla

plain clear !
into sitemanager.xml !!

even the one that are used for SSL accounts.

Al discussion has taken place here :
http://unsharptech.com/2008/05/20/filez ... plaintext/

I think this is a pity beause filezilla is really excellent !

Regards,

Thx

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Password file has been hacked and used by a virus

#4 Post by botg » 2009-04-09 20:46

Easy. Open Explorer. Right-click on FileZilla's settings directory and enter the properties. There you can enable encryption.

alphonse777
504 Command not implemented
Posts: 6
Joined: 2009-04-09 19:18
First name: Alphonse
Last name: Daudet

Re: Password file has been hacked and used by a virus

#5 Post by alphonse777 » 2009-04-09 21:09

botg wrote:Easy. Open Explorer. Right-click on FileZilla's settings directory and enter the properties. There you can enable encryption.
yes Ok, but if the virus has acquired the same priviledges as me, it will not help ... (?)
Thanks

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Password file has been hacked and used by a virus

#6 Post by botg » 2009-04-09 23:44

Let's assume all passwords are encrypted. Malware just waits till you connect to the server and then captures the password from memory. Protection gained by the encryption: None.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Password file has been hacked and used by a virus

#7 Post by boco » 2009-04-10 00:58

Enable kiosk mode 1 (no passwords stored in FZ) and use a software like KeePass to store your passwords (of course on a different machine not connected to the internet).
but if the virus has acquired the same priviledges as me, it will not help ... (?)
Don't surf the internet with an administrator account.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

jdratlif
226 Transfer OK
Posts: 392
Joined: 2008-12-30 10:30
First name: John
Last name: Ratliff
Location: In a small white padded room.

Re: Password file has been hacked and used by a virus

#8 Post by jdratlif » 2009-04-10 15:34

boco wrote:Enable kiosk mode 1 (no passwords stored in FZ) and use a software like KeePass to store your passwords (of course on a different machine not connected to the internet).
Is KeePass like kwallet or something? I don't use Windows much these days. Does it work with FileZilla?
boco wrote:
but if the virus has acquired the same priviledges as me, it will not help ... (?)
Don't surf the internet with an administrator account.
Administrator accounts are evil, but at times they are a necessary one. Some programs simply don't run without full access. Stupid programmers from the pre-multi-user windows environments used to full access accounts. UAC is not great, but I think it's a decent compromise. Microsoft has to be pragmatic. They can't afford to throw away the wondrous Windows backwards compatibility.

Even if he was using a limited account, his privileges would certainly extend to his password file. If he couldn't read them at his privilege level, then he could never make use of them. Granted there are much more serious consequences to a virus running as admin...
http://jdrrant.blogspot.com/ - CODEpendent Blog

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Password file has been hacked and used by a virus

#9 Post by botg » 2009-04-10 17:25

Some programs simply don't run without full access
Then simply don't use such programs. There are many alternatives.

alphonse777
504 Command not implemented
Posts: 6
Joined: 2009-04-09 19:18
First name: Alphonse
Last name: Daudet

Re: Password file has been hacked and used by a virus

#10 Post by alphonse777 » 2009-04-11 01:32

Ok,

Now I got the final word about this case.

All my web site were hacked due to FTP passwords that have been grabbed by a Trojan.

The process is very well explain here :
http://malware-web-threats.blogspot.com ... us-p5.html

I got infected by this :
http://www.symantec.com/security_respon ... 18-1009-99

A simple hack tool and a keyboard logger...
It took ALL the filezilla the passwords and they were sent to Russia (FTP log showed that the machine was running from Russia when it got the access of my web server (no brute force), and my PC was OFF at that time.

Despite I have ESET nod32 AND spybot BOTH enabled (resident protection) -> they both failed !
I was relying too much on these tools!
My mistake was that Acrobat Reader embedded to Firefox was too old and exploit has been used .


I'm amazed how easy it is for these hack tool to get everything they want.

I'm considering using a account with a basic user privilege to surf on the web... good idea.
But if also filezilla could improve the way of hiding the password, it would make more difficult the life's of those hackers.
To grab the password from memory ....hummm... I think this is far more difficult compared to grab a file located here :
C:\Documents and Settings\Administrator\Application Data\FileZilla

Also the password can be grabbed from the TCPIP packet before it goes to the NIC ,I know this... (except SSL/SSH used)
.... I'm a programmer also (>1Million line code)... So I'm aware

In 15 years of active PC usage, this is the first time I got hacked like that... I have of course changed all the passwords...

Not nice definitively...

Rgds,
Al.

jdratlif
226 Transfer OK
Posts: 392
Joined: 2008-12-30 10:30
First name: John
Last name: Ratliff
Location: In a small white padded room.

Re: Password file has been hacked and used by a virus

#11 Post by jdratlif » 2009-04-11 08:52

botg wrote:
Some programs simply don't run without full access
Then simply don't use such programs. There are many alternatives.
Typical botg response. If my computer were slow, you'd be offering me a nickel.
It took ALL the filezilla the passwords and they were sent to Russia (FTP log showed that the machine was running from Russia when it got the access of my web server (no brute force), and my PC was OFF at that time.
They hacked your machine when it was off? That's amazing.
Also the password can be grabbed from the TCPIP packet before it goes to the NIC ,I know this... (except SSL/SSH used)
.... I'm a programmer also (>1Million line code)... So I'm aware
A programmer, eh? And FileZilla is open source...
http://jdrrant.blogspot.com/ - CODEpendent Blog

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Password file has been hacked and used by a virus

#12 Post by botg » 2009-04-11 09:50

alphonse777, you sound like an irate user. Take a break for a few weeks to calm down. Then come back here and think about my arguments. If malware is running on your system, no amount of obfusction or encryption helps, malware simply waits silently until you decrypt the data.
Despite I have ESET nod32 AND spybot BOTH enabled (resident protection) -> they both failed !
Of course they failed, you are running expensive snake oil.

I am not using any firewalls, virus scanner or other malware detection utilities. The difference is that I know how to properly configure my systems and spend much time keeping them ALL up-to-date. And I simply don't use products with known unpatched vulnerabilities.

User avatar
Free FTP Love
500 Command not understood
Posts: 2
Joined: 2008-12-04 13:15
First name: K
Last name: Jones
Location: USA est

my wordpress has turned to mush

#13 Post by Free FTP Love » 2009-04-12 04:23

Hi, I'm suffering from the exploit too. I have several sites in a mess right now. Is the best thing for me to do to change all the passwords and then make sure not to store them on my filezilla program? That's what I will be attempting to do during this next week.

I really like filezilla. I'm not very smart about most of what has been mentioned in this thread.

I have been using file zilla since 2006. I updated my program on this PC this week. I thought it might help, but, I spent hours working to reverse damage this evening, only to fail....

I did not know about the password storage "issue". Thanks for the guidance on that. Also, I am unsure how on earth did the viral jerks nest inside of my PC. :readthis: I have downloads disabled, and I'm very careful and particular about what I (knowingly) let visit my hard drive.

OMG, I have sooooo much cleaning up to do. (cries eyes out) :hang:

Can you advise me how to STOP such intrusions in the future?

PS, if anyone here is a member of digital point, I need a small favor, if you please. Thanks (sorry off topic there)
Last edited by Free FTP Love on 2009-04-12 13:44, edited 1 time in total.
save until later

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Password file has been hacked and used by a virus

#14 Post by botg » 2009-04-12 08:40

I cannot read your reply. Please use an even bigger font, maybe it will become so large that eventually it wraps around to be legible again
Free FTP Love wrote:file zilla
Why can people not spell FileZilla correctly? Did Zombie Jesus eat your brains?

User avatar
Free FTP Love
500 Command not understood
Posts: 2
Joined: 2008-12-04 13:15
First name: K
Last name: Jones
Location: USA est

Re: Password file has been hacked and used by a virus

#15 Post by Free FTP Love » 2009-04-12 13:46

botg wrote:I cannot read your reply. Please use an even bigger font, maybe it will become so large that eventually it wraps around to be legible again
Free FTP Love wrote:file zilla
Why can people not spell FileZilla correctly? Did Zombie Jesus eat your brains?
OUCH! okay, i removed the size. SORRY!

I DID SPALE IT CORRECTLY at least once. jeeez.

Did Jesus eat your compassion?
.........
EDIT

PS. You sent me a warning about font size? Seriously, the font looked okay on my screen. Thanks. :?:
save until later

Locked