New Site Manager Hack/Trojan Stealing Passwords in Filezilla

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Message
Author
dijitul
500 Command not understood
Posts: 2
Joined: 2010-07-29 17:55
First name: Dijitul
Last name: Media

New Site Manager Hack/Trojan Stealing Passwords in Filezilla

#1 Post by dijitul » 2010-07-29 18:00

Hello,

Im afraid to say we think there is a new virus doing the rounds that might be using the FileZIlla site manager to get FTP passwords and in turn hacking files and adding text to them like here; http://forum.filezilla-project.org/view ... 03&start=0

We first got it on the 9th July, and shortly after this post appears on WP guru

http://wpguru.co.uk/2010/07/the-drunkje ... rid-of-it/

We've added some stuff to it (new variation and the fact we think its owning site managers in filezilla) and thought i would bring it to yall's attention.

If anyone needs help removing it then please get in touch.

User avatar
botg
Site Admin
Posts: 32216
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#2 Post by botg » 2010-07-29 22:53

Getting infected by a trojan is like purposely dropping the soap in prison.

dijitul
500 Command not understood
Posts: 2
Joined: 2010-07-29 17:55
First name: Dijitul
Last name: Media

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#3 Post by dijitul » 2010-07-30 09:09

Wow.

Check out your uber constructive reply :?

FYI - and for the attention of EVERY FILEZILLA USER

All your passwords (saved in site manager, OR ones used in quick connect) are stored on your pc whether or not you want them to be in PLAN TEXT

In the same location on all PC's

And a few viruses/Trojans we have reverse engineered recently are SPECIFICALLY targeting filezilla's stored passwords......

So thanks to FILEZILLA im having to move 200 + website to some other kind of ftp program, and also change them all as they could all have been stolen!

YOU HAVE BEEN WARNED!

User avatar
botg
Site Admin
Posts: 32216
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#4 Post by botg » 2010-07-30 11:09

What steps are you doing to prevent getting infected by a trojan in the first place?

Even if you do not store any passwords at all, if you are infected by a trojan, that trojan would just sleep unnoticed until you enter your password. Once you are infected, it's game over. However, if you can prevent infection, you can even leave the secret coca cola formula in a plaintext document right on your desktop and tell all the bad guys in the world about it.

Romson
500 Command not understood
Posts: 2
Joined: 2010-07-30 12:07
First name: RT
Last name: Lijkwan
Location: Rotterdam, NL

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#5 Post by Romson » 2010-07-30 12:13

dijitul wrote: All your passwords (saved in site manager, OR ones used in quick connect) are stored on your pc whether or not you want them to be in PLAN TEXT

In the same location on all PC's
What's the exact map location in C:\Program Files\FileZilla FTP Client to find the stored passwords in plain text?

User avatar
boco
Contributor
Posts: 24552
Joined: 2006-05-01 03:28
Location: Germany

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#6 Post by boco » 2010-07-30 16:39

Two words: kiosk mode.
What's the exact map location in C:\Program Files\FileZilla FTP Client to find the stored passwords in plain text?
%APPDATA%\FileZilla on Windows, ~/.filezilla on other OS.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

Tony-B
504 Command not implemented
Posts: 7
Joined: 2010-07-30 20:09

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#7 Post by Tony-B » 2010-07-30 20:25

Hi the issue really isnt the site manager part... yes it is understood that if you save your password in a program it is going to be stored somewhere (encrypted or unencrypted we can argue about which it should be all day). The issue is when using quick connect in filezilla it is storing all details (host/username/unecrypted password) in recentservers.xml without even telling you, i cant think of any program as popular as filezilla which stores all your login details without asking.

The first post was just to inform users of filezilla that malware is in the wild now that is stealing passwords from your recent connections using filezilla ,and recent can be weeks,months,years ago if you have not cleared the history.

Im guessing the smart reply from admin now will be "well only idiots use the same passwords for weeks,months,years etc" but noone is perfect.. im sure you yourself have been infected with some form of malicious code at some point.

Cheers

User avatar
botg
Site Admin
Posts: 32216
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#8 Post by botg » 2010-07-30 22:11

I never had any infections since I had access to the internet.

Tony-B
504 Command not implemented
Posts: 7
Joined: 2010-07-30 20:09

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#9 Post by Tony-B » 2010-07-30 22:28

botg wrote:I never had any infections since I had access to the internet.
Im sure you wouldnt admit it anyway.. you are obviously better than everyone else in the world!
Im also curious to know if you still think your comparison of being infected by a trojan to purposely dropping the soap in prison is a good one? if you do you have a very poor understanding of the idea behind a trojan.

Cheers

User avatar
botg
Site Admin
Posts: 32216
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#10 Post by botg » 2010-07-31 07:29

In both cases something very bad is happening you don't want to happen. If you do know the risks of trojans but don't protect your system against infections, that's either due to stupidity or on purpose. I assume you are an intelligent person, so it's on purpose.

Protectin against trojans is not hard at all, only requires a bit of common sense such as keeping all your software up-to-date, not executing random e-mail attachments and so on. For example, if everybody would just follow these simple two steps given as example, global malware infection rate would likely drop by 99%.

horndog
550 Permission denied
Posts: 27
Joined: 2010-06-13 21:27
First name: Stuart
Last name: Kay

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#11 Post by horndog » 2010-07-31 08:11

botg wrote:... not executing random e-mail attachments and so on...
Automatic "unpackers" do it for you! This is why an anti virus interface is needed to be included with FZ server! To be used with ClamAV for Windows. http://hideout.ath.cx/clamav/

User avatar
botg
Site Admin
Posts: 32216
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#12 Post by botg » 2010-07-31 09:54

Automatic unpackers execute email attachments? :shock:

Why would anybody ever install such a program? The risks are extreme with little to no benefit.

Tony-B
504 Command not implemented
Posts: 7
Joined: 2010-07-30 20:09

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#13 Post by Tony-B » 2010-07-31 11:37

dropping the soap on purpose would suggest that you wanted to be violated :)

anyway back to trojans, nowadays its not just as simple as dont double click the .exe etc, alot of viruses infect webservers and use 0day exploits to autorun themselves remotely, take the windows .lnk security hole, this was discovered because it was being used in the wild by malicious software! virus checkers can only be updated with known virus signatures.

Cheers

User avatar
botg
Site Admin
Posts: 32216
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#14 Post by botg » 2010-07-31 15:56

So did you as microsoft suggested and disabled link icons till they can fix it?

Tony-B
504 Command not implemented
Posts: 7
Joined: 2010-07-30 20:09

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#15 Post by Tony-B » 2010-07-31 16:16

botg wrote:So did you as microsoft suggested and disabled link icons till they can fix it?
that was just an example.... the problem was unknown by microsoft until it was discovered being used by malicious code!!
the point im making is nothing is 100% safe and secure as you seem to think/beleive. its not just the good guys stepping through code looking for holes!

Post Reply