FileZilla Forums

Welcome to the official discussion forums for FileZilla
Donate to project
It is currently 2015-03-05 16:03

All times are UTC




Post new topic  This topic is locked, you cannot edit posts or make further replies.  [ 50 posts ]  Go to page 1 2 3 4 Next
Author Message
PostPosted: 2009-04-09 19:40 
Offline
504 Command not implemented

Joined: 2009-04-09 19:18
Posts: 6
First name: Alphonse
Last name: Daudet
Hi all,

It took me some time to investigate, but I don't see another way, but I'm sure of the following about filezilla, my filezilla password file has been hacked by a trojan and given to a third party pirate...

All my web site I'm taking care of have been hacked and the ONLY place where the hacker could find the password was coming from Filezilla where all the password where stored in this place and only in this place.

I'm using filezilla client 3.2.3.1 and the hacker inserted the following script on each on my html files :
....
document.write(unescape('pZ%3CscPr
.....
of my four web sites !!

So I think the policy of having the filezilla passwords into a uncrypted password is foolish !

After 15 years of computing, (and I'm a Win32 programmer), this is the first time I got hacked....

is there a way to overcome filezilla password from being hacked so easly ?

Thanks


Top
   
 
PostPosted: 2009-04-09 20:14 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 24725
First name: Tim
Last name: Kosse
Don't store passwords and most importantly, do not use Windows.


Top
   
 
PostPosted: 2009-04-09 20:30 
Offline
504 Command not implemented

Joined: 2009-04-09 19:18
Posts: 6
First name: Alphonse
Last name: Daudet
Quote:
Don't store passwords and most importantly, do not use Windows.


Thanks , first part of the reply can apply ... bu could you remember alll your passwords ?? Me not, sorry...
Second related to windows, can definitively not apply...

Why not crypting this file using 1024bit key ?

The files are stored here :
C:\Documents and Settings\Administrator\Application Data\FileZilla

plain clear !
into sitemanager.xml !!

even the one that are used for SSL accounts.

Al discussion has taken place here :
http://unsharptech.com/2008/05/20/filez ... plaintext/

I think this is a pity beause filezilla is really excellent !

Regards,

Thx


Top
   
 
PostPosted: 2009-04-09 20:46 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 24725
First name: Tim
Last name: Kosse
Easy. Open Explorer. Right-click on FileZilla's settings directory and enter the properties. There you can enable encryption.


Top
   
 
PostPosted: 2009-04-09 21:09 
Offline
504 Command not implemented

Joined: 2009-04-09 19:18
Posts: 6
First name: Alphonse
Last name: Daudet
botg wrote:
Easy. Open Explorer. Right-click on FileZilla's settings directory and enter the properties. There you can enable encryption.


yes Ok, but if the virus has acquired the same priviledges as me, it will not help ... (?)
Thanks


Top
   
 
PostPosted: 2009-04-09 23:44 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 24725
First name: Tim
Last name: Kosse
Let's assume all passwords are encrypted. Malware just waits till you connect to the server and then captures the password from memory. Protection gained by the encryption: None.


Top
   
 
PostPosted: 2009-04-10 00:58 
Online
Contributor
User avatar

Joined: 2006-05-01 03:28
Posts: 21118
Location: Germany
Enable kiosk mode 1 (no passwords stored in FZ) and use a software like KeePass to store your passwords (of course on a different machine not connected to the internet).

Quote:
but if the virus has acquired the same priviledges as me, it will not help ... (?)
Don't surf the internet with an administrator account.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
   
 
PostPosted: 2009-04-10 15:34 
Offline
226 Transfer OK

Joined: 2008-12-30 10:30
Posts: 392
First name: John
Last name: Ratliff
Location: In a small white padded room.
boco wrote:
Enable kiosk mode 1 (no passwords stored in FZ) and use a software like KeePass to store your passwords (of course on a different machine not connected to the internet).


Is KeePass like kwallet or something? I don't use Windows much these days. Does it work with FileZilla?

boco wrote:
Quote:
but if the virus has acquired the same priviledges as me, it will not help ... (?)
Don't surf the internet with an administrator account.


Administrator accounts are evil, but at times they are a necessary one. Some programs simply don't run without full access. Stupid programmers from the pre-multi-user windows environments used to full access accounts. UAC is not great, but I think it's a decent compromise. Microsoft has to be pragmatic. They can't afford to throw away the wondrous Windows backwards compatibility.

Even if he was using a limited account, his privileges would certainly extend to his password file. If he couldn't read them at his privilege level, then he could never make use of them. Granted there are much more serious consequences to a virus running as admin...

_________________
http://jdrrant.blogspot.com/ - CODEpendent Blog


Top
   
 
PostPosted: 2009-04-10 17:25 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 24725
First name: Tim
Last name: Kosse
Quote:
Some programs simply don't run without full access


Then simply don't use such programs. There are many alternatives.


Top
   
 
PostPosted: 2009-04-11 01:32 
Offline
504 Command not implemented

Joined: 2009-04-09 19:18
Posts: 6
First name: Alphonse
Last name: Daudet
Ok,

Now I got the final word about this case.

All my web site were hacked due to FTP passwords that have been grabbed by a Trojan.

The process is very well explain here :
http://malware-web-threats.blogspot.com ... us-p5.html

I got infected by this :
http://www.symantec.com/security_respon ... 18-1009-99

A simple hack tool and a keyboard logger...
It took ALL the filezilla the passwords and they were sent to Russia (FTP log showed that the machine was running from Russia when it got the access of my web server (no brute force), and my PC was OFF at that time.

Despite I have ESET nod32 AND spybot BOTH enabled (resident protection) -> they both failed !
I was relying too much on these tools!
My mistake was that Acrobat Reader embedded to Firefox was too old and exploit has been used .


I'm amazed how easy it is for these hack tool to get everything they want.

I'm considering using a account with a basic user privilege to surf on the web... good idea.
But if also filezilla could improve the way of hiding the password, it would make more difficult the life's of those hackers.
To grab the password from memory ....hummm... I think this is far more difficult compared to grab a file located here :
C:\Documents and Settings\Administrator\Application Data\FileZilla

Also the password can be grabbed from the TCPIP packet before it goes to the NIC ,I know this... (except SSL/SSH used)
.... I'm a programmer also (>1Million line code)... So I'm aware

In 15 years of active PC usage, this is the first time I got hacked like that... I have of course changed all the passwords...

Not nice definitively...

Rgds,
Al.


Top
   
 
PostPosted: 2009-04-11 08:52 
Offline
226 Transfer OK

Joined: 2008-12-30 10:30
Posts: 392
First name: John
Last name: Ratliff
Location: In a small white padded room.
botg wrote:
Quote:
Some programs simply don't run without full access


Then simply don't use such programs. There are many alternatives.


Typical botg response. If my computer were slow, you'd be offering me a nickel.

Quote:
It took ALL the filezilla the passwords and they were sent to Russia (FTP log showed that the machine was running from Russia when it got the access of my web server (no brute force), and my PC was OFF at that time.


They hacked your machine when it was off? That's amazing.

Quote:
Also the password can be grabbed from the TCPIP packet before it goes to the NIC ,I know this... (except SSL/SSH used)
.... I'm a programmer also (>1Million line code)... So I'm aware


A programmer, eh? And FileZilla is open source...

_________________
http://jdrrant.blogspot.com/ - CODEpendent Blog


Top
   
 
PostPosted: 2009-04-11 09:50 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 24725
First name: Tim
Last name: Kosse
alphonse777, you sound like an irate user. Take a break for a few weeks to calm down. Then come back here and think about my arguments. If malware is running on your system, no amount of obfusction or encryption helps, malware simply waits silently until you decrypt the data.

Quote:
Despite I have ESET nod32 AND spybot BOTH enabled (resident protection) -> they both failed !


Of course they failed, you are running expensive snake oil.

I am not using any firewalls, virus scanner or other malware detection utilities. The difference is that I know how to properly configure my systems and spend much time keeping them ALL up-to-date. And I simply don't use products with known unpatched vulnerabilities.


Top
   
 
PostPosted: 2009-04-12 04:23 
Offline
500 Command not understood
User avatar

Joined: 2008-12-04 13:15
Posts: 2
First name: K
Last name: Jones
Location: USA est
Hi, I'm suffering from the exploit too. I have several sites in a mess right now. Is the best thing for me to do to change all the passwords and then make sure not to store them on my filezilla program? That's what I will be attempting to do during this next week.

I really like filezilla. I'm not very smart about most of what has been mentioned in this thread.

I have been using file zilla since 2006. I updated my program on this PC this week. I thought it might help, but, I spent hours working to reverse damage this evening, only to fail....

I did not know about the password storage "issue". Thanks for the guidance on that. Also, I am unsure how on earth did the viral jerks nest inside of my PC. :readthis: I have downloads disabled, and I'm very careful and particular about what I (knowingly) let visit my hard drive.

OMG, I have sooooo much cleaning up to do. (cries eyes out) :hang:

Can you advise me how to STOP such intrusions in the future?

PS, if anyone here is a member of digital point, I need a small favor, if you please. Thanks (sorry off topic there)

_________________
save until later


Last edited by Free FTP Love on 2009-04-12 13:44, edited 1 time in total.

Top
   
 
PostPosted: 2009-04-12 08:40 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 24725
First name: Tim
Last name: Kosse
I cannot read your reply. Please use an even bigger font, maybe it will become so large that eventually it wraps around to be legible again

Free FTP Love wrote:
file zilla


Why can people not spell FileZilla correctly? Did Zombie Jesus eat your brains?


Top
   
 
PostPosted: 2009-04-12 13:46 
Offline
500 Command not understood
User avatar

Joined: 2008-12-04 13:15
Posts: 2
First name: K
Last name: Jones
Location: USA est
botg wrote:
I cannot read your reply. Please use an even bigger font, maybe it will become so large that eventually it wraps around to be legible again

Free FTP Love wrote:
file zilla


Why can people not spell FileZilla correctly? Did Zombie Jesus eat your brains?

OUCH! okay, i removed the size. SORRY!

I DID SPALE IT CORRECTLY at least once. jeeez.

Did Jesus eat your compassion?
.........
EDIT

PS. You sent me a warning about font size? Seriously, the font looked okay on my screen. Thanks. :?:

_________________
save until later


Top
   
 
Display posts from previous:  Sort by  
Post new topic  This topic is locked, you cannot edit posts or make further replies.  [ 50 posts ]  Go to page 1 2 3 4 Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Limited