updated filezilla and then server got compromised

[cally6008]

updated filezilla and then server got compromised

Not sure if any connection between the two but thought I'd best post here and let you know about it.
I updated to 3.7.3 fillzilla, did a complete download of all my website files on to my HDD (nothing wrong with files on my pc) this morning.
Went to look at website and got various php warnings which mean that server has been compromised in some way and code added to a file(s)

Fingers crossed for Hosting company to sort it quickly.

[cally6008]

message reply from hosting company

Having checked this, I can confirm that your account has been compromised and many of the files on your account were downloaded via FTP then re-uploaded with larger filesizes with the most-likely malicious code via FTP between 14:19 and 14:27 on today.

As these files were accessed via your main FTP user this demonstrates that your accounts' password has become known to a third party,

[boco]

Change passwords immediately, but first scan your machine! Looks like you might have a malware infection.

[ftanner]

Change passwords immediately, but first scan your machine! Looks like you might have a malware infection.

What Boco said. There is malware that specifically targets FileZilla stored usernames and passwords because the developers refuse to encrypt the file that stores that information, and they have no plans to encrypt it. They claim that it's not necessary or productive to do so. It makes it an easy target.

[boco]

Small correction: developer. There's only one. And obfuscation/encryption does not work well for GPL Open Source, where you have to provide everything to the public, even the encryption keys or how to calculate it. Guess what? Today's CPUs will crack it faster than you can blink. I'm not saving any passwords in FileZilla (kiosk mode 1 since it was introduced ages ago).

[ftanner]

Small correction: developer. There's only one. And obfuscation/encryption does not work well for GPL Open Source, where you have to provide everything to the public, even the encryption keys or how to calculate it. Guess what? Today's CPUs will crack it faster than you can blink. I'm not saving any passwords in FileZilla (kiosk mode 1 since it was introduced ages ago).

It doesn't? Hmm... Explain that to the guys that release all of the different flavors of Linux. There are lots of encryption tools (SSH, the keygen tools, et al) in them and even /etc/passwd is encrypted. Putty does a pretty good job of generating SSH key pairs too. KeePass (also Open Source) does a pretty good job of encrypting their password storage files too.

KeePass also give you a choice of different encryption algorithms that you can use to generate your key.

Just because it is *POSSIBLE* to crack an encryption doesn't mean that you *SHOULDN'T* encrypt it. The RC4 encryption standard, which is used by SSL and TLS, was admitted to have been probably cracked by the NSA. Are you suggesting that all websites stop using SSL?

[botg]

If you have malware on your computer, then the second you decrypt any of those passwords/keys/tokens/whatever, the malware has full access to it. This is the real problem, malware on your computer.

[ftanner]

If you have malware on your computer, then the second you decrypt any of those passwords/keys/tokens/whatever, the malware has full access to it. This is the real problem, malware on your computer.

Be that as it may, that doesn't mean that it's not shitty infosec practice not to encrypt your file. Not only is it piss-poor, but you're hiding your head in the sand and saying "La la la la la... It's not my problem." When, in fact that it is. You have piss poor security practices.

Information security is like an onion... It's built on layers. The more layers you have the harder it is to get to the underlying data. By not encrypting this file, you're making it that much easier for the "bad guys" to get the information. You are part of the problem, not part of the solution.

Personally, I think you don't do it because you don't know how and are just disguising it as an "malware will have access to it" issue.

[botg]

Information security is like an onion... It's built on layers.

And malware on your computer is a breach of the innermost layer.

[ftanner]

Information security is like an onion... It's built on layers.

And malware on your computer is a breach of the innermost layer.

And not encrypting something that can be encrypted trivially is just plain stupid and bad practice. There are plenty of ways to steal the file itself without a machine being infected with malware. Especially if someone is using the "portable" version of FileZilla off of a thumb drive. If that file is encrypted that makes it more difficult to extract the information.

You're being obtuse just to be obtuse. You think your way is the better way and you're dead wrong. It would be trivial to implement the code, you just refuse to.

[botg]

Especially if someone is using the "portable" version of FileZilla off of a thumb drive. If that file is encrypted that makes it more difficult to extract the information.

Truecrypt anyone?

[ftanner]

Especially if someone is using the "portable" version of FileZilla off of a thumb drive. If that file is encrypted that makes it more difficult to extract the information.

Truecrypt anyone?

So you're, again, falling back on the "La la la la not my problem la la la" mantra...

That tells me that either you're incompetent at infosec in and of yourself or you're just plain lazy. You are, literally, the only "Open Source" author that provides something that can contain passwords in a "plain text" file that doesn't encrypt them.

By your logic, no password manager should bother to encrypt them, TrueCrypt shouldn't, Linux shouldn't, Keepass shouldn't, et al.

Wow.... The hubris is astounding.

[botg]

Full disk protection and keeping your system free of malware. Then nobody can access any of your data.

[ftanner]

Full disk protection and keeping your system free of malware. Then nobody can access any of your data.

More of the same "La la la not my problem la la la..."

Laziness... Pure laziness...

I'm glad the makers of Linux, putty, Keepass, Firefox, et all don't have your philosophy.

[boco]

You're still here?