New Site Manager Hack/Trojan Stealing Passwords in Filezilla

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Message
Author
Spooky_
500 Command not understood
Posts: 5
Joined: 2011-02-14 11:22

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#46 Post by Spooky_ » 2011-02-14 12:52

xeon wrote:I have never been infected with malware and none of my filezilla passwords have ever been compromised even though they are stored in plaintext.
You are imposing your personal, individual experience on to others. Just because you have never been compromised and you think you never will, doesn't mean it will not happen to you or others.

xeon wrote:I'm sure many others who have good practices can say the same.
Yes, I can say that I have never been compromised like that. But I am not disregarding the issue just because of that.

Arkhee
550 Permission denied
Posts: 25
Joined: 2010-09-10 09:09

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#47 Post by Arkhee » 2011-02-14 12:57

xeon wrote: You were obviously infected with some type of malware so why are you blaming filezilla?
It sounds like you should be blaming yourself for not keeping your pc secure and having good practices.
Just think about it if you were never infected none of that would have happened to begin with...
Even if botg implemented some type of encryption on passwords malware creators would just use a different way to harvest passwords such as keylogging or sniffing your network traffic.
Agree with Spooky, same silly arguments as usual. Did you read my previous posts ?
My PC is secure as well as my practices, however no one is protected from bad luck and bad timing. That's what happened to me.
As a summary for those who do not read previous posts :
I had bad luck, was infected, detected it, cleaned it thouroughly, and now I'm fine.
Let's count the casualties :
- Filezilla managed websites : all hacked whithin the hour
- Non-filezilla managed website : not hacked (yes, none).
- All ftp passwords changed anyway.
xeon wrote: Even if botg implemented some type of encryption on passwords malware creators would just use a different way to harvest passwords such as keylogging or sniffing your network traffic.
Yeah you're right ! The harder botg thinks, the harder they have to think, and the harder it is in the end. Too bad FZ does team does not want to make it harder for hackers, because for now it's damn too simple.
I have never been infected with malware and none of my filezilla passwords have ever been compromised even though they are stored in plaintext.
I'm sure many others who have good practices can say the same.
You're just lucky, that's all. There are vulnerabilities in nearly every adobe product, especially flash and acrobat. It's enough to have the wrong version and visit the wrong website at the wrong time. Hacked websites are usually detected and blocked within minutes or hours, but if you're unlucky you get infected even if you have an up-to-date antivirus and firewall active. And when I say "wrong version", I mean : even the latest available could be, at one time, the wrong version. I always keep up to date but when I was hacked the lastest acrobat reader had THE vulnerability.

xeon
226 Transfer OK
Posts: 131
Joined: 2009-08-19 03:18

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#48 Post by xeon » 2011-02-14 13:06

Spooky_ wrote:
xeon wrote:I have never been infected with malware and none of my filezilla passwords have ever been compromised even though they are stored in plaintext.
You are imposing your personal, individual experience on to others. Just because you have never been compromised and you think you never will, doesn't mean it will not happen to you or others.
If you have good practices it will not happen malware doesn't just appear on your pc it only appears as a result of negligence.
Arkhee wrote:
xeon wrote: You were obviously infected with some type of malware so why are you blaming filezilla?
It sounds like you should be blaming yourself for not keeping your pc secure and having good practices.
Just think about it if you were never infected none of that would have happened to begin with...
Even if botg implemented some type of encryption on passwords malware creators would just use a different way to harvest passwords such as keylogging or sniffing your network traffic.
Agree with Spooky, same silly arguments as usual. Did you read my previous posts ?
My PC is secure as well as my practices, however no one is protected from bad luck and bad timing. That's what happened to me.
As a summary for those who do not read previous posts :
I had bad luck, was infected, detected it, cleaned it thouroughly, and now I'm fine.
Let's count the casualties :
- Filezilla managed websites : all hacked whithin the hour
- Non-filezilla managed website : not hacked (yes, none).
- All ftp passwords changed anyway.
xeon wrote: Even if botg implemented some type of encryption on passwords malware creators would just use a different way to harvest passwords such as keylogging or sniffing your network traffic.
Yeah you're right ! The harder botg thinks, the harder they have to think, and the harder it is in the end. Too bad FZ does team does not want to make it harder for hackers, because for now it's damn too simple.
I have never been infected with malware and none of my filezilla passwords have ever been compromised even though they are stored in plaintext.
I'm sure many others who have good practices can say the same.
You're just lucky, that's all. There are vulnerabilities in nearly every adobe product, especially flash and acrobat. It's enough to have the wrong version and visit the wrong website at the wrong time. Hacked websites are usually detected and blocked within minutes or hours, but if you're unlucky you get infected even if you have an up-to-date antivirus and firewall active. And when I say "wrong version", I mean : even the latest available could be, at one time, the wrong version. I always keep up to date but when I was hacked the lastest acrobat reader had THE vulnerability.
Like I mentioned above malware doesn't just appear on your pc it happens due to the negligence of the user.

If you're using vulnerable software that's your own fault. I personally don't use any adobe products and don't allow javascript/etc on any websites except those that I whitelist specifically.

Spooky_
500 Command not understood
Posts: 5
Joined: 2011-02-14 11:22

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#49 Post by Spooky_ » 2011-02-14 13:12

xeon, it's a very unrealistic assumption to say, that it is impossible to happen. It is unlikely to happen for users like "us", but it's not impossible. Given enough time, anything that can go wrong, will go wrong. Saying that you can assure that nothing can ever go wrong would be negligent likewise.

Arkhee
550 Permission denied
Posts: 25
Joined: 2010-09-10 09:09

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#50 Post by Arkhee » 2011-02-14 13:19

xeon wrote:If you're using vulnerable software that's your own fault. I personally don't use any adobe products and don't allow javascript/etc on any websites except those that I whitelist specifically.
Oh, I see, so you never use youtube for example ? No games ? no flash on your pc ? Come on I don't beleive you. Are you one of the 0.01% users who disable everything ? What about the others, are they just stupid to use flash ?

Disabling javascript nowadays is a useless geek solution, virus never come directly from javascript since it's been heavilly secured. On the other hand 3-rd party components such as flash may contain vulnerabilities, and these may be called from JS.
As a web developper you don't have the choice to use flash and javascript or not off course. So it's just a matter of chance, careness and protecting yourself with good antivirus, just in case.

xeon wrote:don't allow javascript/etc on any websites except those that I whitelist specifically.
Whose websites do YOU trust the most ? For example YOUR OWN websites, do you ?
I was hacked by my customer's website, one website I have built myself actually. So I should not trust it ? My customer got infected because of one of his friend's website, which got infected because of another friend's infected website.

Come on wake up, infection never happens because people go to wa**z or p*rn websites, basically it always occurs because one day, the website you trust the most gets infected because you're not the only one who works on it through FTP.

xeon
226 Transfer OK
Posts: 131
Joined: 2009-08-19 03:18

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#51 Post by xeon » 2011-02-14 13:26

Spooky_ wrote:xeon, it's a very unrealistic assumption to say, that it is impossible to happen. It is unlikely to happen for users like "us", but it's not impossible. Given enough time, anything that can go wrong, will go wrong. Saying that you can assure that nothing can ever go wrong would be negligent likewise.
There's no point in discussing this further really we clearly have different expectations of ourselves and our practices.

Bottom line is botg has already stated his reasons for not implementing this and that's 100% his decision to make yet people are still complaining here...
Arkhee wrote:
xeon wrote:If you're using vulnerable software that's your own fault. I personally don't use any adobe products and don't allow javascript/etc on any websites except those that I whitelist specifically.
Oh, I see, so you never use youtube for example ? No games ? no flash on your pc ? Come on I don't beleive you. Are you one of the 0.01% users who disable everything ? What about the others, are they just stupid to use flash ?

Disabling javascript nowadays is a useless geek solution, virus never come directly from javascript since it's been heavilly secured. On the other hand 3-rd party components such as flash may contain vulnerabilities, and these may be called from JS.
As a web developper you don't have the choice to use flash and javascript or not off course. So it's just a matter of chance, careness and protecting yourself with good antivirus, just in case.

xeon wrote:don't allow javascript/etc on any websites except those that I whitelist specifically.
Whose websites do YOU trust the most ? For example YOUR OWN websites, do you ?
I was hacked by my customer's website, one website I have built myself actually. So I should not trust it ? My customer got infected because of one of his friend's website, which got infected because of another friend's infected website.

Come on wake up, infection never happens because people go to wa**z or p*rn websites, basically it always occurs because one day, the website you trust the most gets infected because you're not the only one who works on it through FTP.
I don't have flash and don't use youtube.

If a website you host or have visited gets hacked it's due to the owner's negligence.

Spooky_
500 Command not understood
Posts: 5
Joined: 2011-02-14 11:22

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#52 Post by Spooky_ » 2011-02-14 13:36

xeon wrote:There's no point in discussing this further really we clearly have different expectations of ourselves and our practices.

Bottom line is botg has already stated his reasons for not implementing this and that's 100% his decision to make yet people are still complaining here...
The bottom line is that some users are not happy with this design decision, that's the point of discussing it. Sure, these users can switch to another FTP client, but they also probably love the features FileZilla offers, otherwise they would not use it in the first place.

It may sound extreme, but I am saddened by this apparently dismissive and elitist behavior towards these users.

User avatar
grindlay
504 Command not implemented
Posts: 9
Joined: 2011-02-09 10:34
First name: Grant
Last name: Forrest

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#53 Post by grindlay » 2011-02-14 14:31

Xeon, your argument is like saying :
"If you eat too much and become Obese, you'll get type 2 diabetes, so the advice is - avoid getting diabetes by eating less."
Why are we not surprised that so few people in the developed world follow this advice ? Because people are generally quite stupid when it comes to their health.
They can be just as stupid when it comes to the health of their PC. This is why botnets exist - because of the stupidity of PC users allowing their machines to become infected.
Does that mean there is no point in trying to make Filezilla more hack-resistant ?
No - don't blame people for being stupid, just respond to the legitimate concerns of the more sensible ones who understand that "shit happens". Holding your hands up and saying "nothing to do with me, I don't have responsibility for your stupidity" is not a nice sentiment.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#54 Post by botg » 2011-02-14 19:11

grindlay wrote:No - don't blame people for being stupid, just respond to the legitimate concerns of the more sensible ones who understand that "shit happens". Holding your hands up and saying "nothing to do with me, I don't have responsibility for your stupidity" is not a nice sentiment.
But it's the unconvenient truth. Sadly, stupid people also find it more convenient to ignore the truth and live with lies.

psytrax
500 Command not understood
Posts: 2
Joined: 2011-08-20 21:16

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#55 Post by psytrax » 2011-08-20 21:39

Sorry for posting in such an old thread, but i think my question fits quite well into this topic.

I'm using Filezilla Server for a few days now as a replacement for Samba shares.
And i must say, i was shocked like most of the users in this thread when i found out, that my passwords are stored in plaintext.

Oh, wait... not all of them.

The passwords of the user accounts are hashed using MD5 - placed next to the admin password in plaintext in the "FileZilla Server.xml" configuration file.

So, my question is: Why are the user passwords hashed in contrast to the admin password?

I really want to know the reason for this, since the users have been wanted to understand, that passwords stored in plaintext do not decrease the security of the system.

Thanks in advance.

User avatar
boco
Contributor
Posts: 26914
Joined: 2006-05-01 03:28
Location: Germany

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#56 Post by boco » 2011-08-21 04:49

First, this topic is about the client, where passwords cannot be hashed because they have to be sent out (hashing is an irreversible process).

The server's admin password usually stays on your local machine, used to connect the admin interface to the service. If you do remote administration, however, I fear that the password is sent unencrypted over the net. From what I know, the interconnection isn't secured, yet. That's a point with room for improvement for sure.

While the password in the FileZilla Server.xml could possibly be hashed, some issues could arise:
1. It would break existing installations with existing passwords on updating unless a new setting descriptor would be used,
2. The FileZilla Server Interface.xml does store the same password unencrypted, and it cannot be stored as hash.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

psytrax
500 Command not understood
Posts: 2
Joined: 2011-08-20 21:16

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#57 Post by psytrax » 2011-08-21 14:00

First, this topic is about the client, where passwords cannot be hashed because they have to be sent out (hashing is an irreversible process).
Sorry again. You're right, it wouldn't make sense to send hashed passwords. But i wouldn't save passwords by default either. What about enabling "Kiosk mode" by default?

The server's admin password usually stays on your local machine, used to connect the admin interface to the service. If you do remote administration, however, I fear that the password is sent unencrypted over the net. From what I know, the interconnection isn't secured, yet. That's a point with room for improvement for sure.
Definitely. So the admin interface is only meant to be run locally for now?

While the password in the FileZilla Server.xml could possibly be hashed, some issues could arise:
1. It would break existing installations with existing passwords on updating unless a new setting descriptor would be used,
Since most users' passwords are very likely to be shorter than 32 digits (length of an MD5 hash), it shouldn't be hard to separate between those formats and "convert" an old plaintext password if necessary.

2. The FileZilla Server Interface.xml does store the same password unencrypted, and it cannot be stored as hash.
Right again, but what keeps you from implementing an option, where the user can decide whether the admin password is saved or not?



Finally i want to say, that my intention is not to blame anybody. In my opinion a very important aspect of security is minimizing the number of possible attacks. By storing hashed passwords in "FileZilla Server.xml" and not saving the passwords used in both the admin interface login and the Filezilla Client by default, the Filezilla package should be much more resistant against basic password exploitations at a minimal additional implementation effort, since user password are already being hashed.

Attackers will always find a method to break any kind of authentication mechanism, but we don't have to make it so easy for them.

User avatar
boco
Contributor
Posts: 26914
Joined: 2006-05-01 03:28
Location: Germany

Re: New Site Manager Hack/Trojan Stealing Passwords in Filez

#58 Post by boco » 2011-08-21 17:34

Sorry again. You're right, it wouldn't make sense to send hashed passwords. But i wouldn't save passwords by default either. What about enabling "Kiosk mode" by default?
I have made that proposal numerous times, unheard as of yet. At least it's planned as an installer option (like the FileZilla v2 ''Secure mode'' choice).
Definitely. So the admin interface is only meant to be run locally for now?
It can be used remotely as long as you know the risks. Note that millions of people send their plain text passwords over the net daily (do you remember when your browser warned you about unsecured POST data, for example). And they use normal FTP, where everything including passwords is sent unencrypted. It unfortunately takes a long time (and quite a few people burned) until security catches up.
I believe you could always use a third-party secure tunnel to protect against MIM attacks.
Since most users' passwords are very likely to be shorter than 32 digits (length of an MD5 hash), it shouldn't be hard to separate between those formats and "convert" an old plaintext password if necessary.
Either we could use a new descriptor with a fallback to the old one, or we could convert right away upon loading of old XML.
Right again, but what keeps you from implementing an option, where the user can decide whether the admin password is saved or not?
As I said, still room for improvement. Of course you'd lose the option to automatically connect to the service at startup, but that option makes only sense locally, anyway. Maybe the ''Always connect to this server" and saving of password should be only available for LAN IPv4, Unique Local and Site Local IPv6, and the loopbacks 127/8 and ::1? Note that I'm no developer, but he reads these forums and will possibly comment.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

Post Reply