Password file has been hacked and used by a virus
Moderator: Project members
-
- 504 Command not implemented
- Posts: 6
- Joined: 2009-04-09 19:18
- First name: Alphonse
- Last name: Daudet
Password file has been hacked and used by a virus
Hi all,
It took me some time to investigate, but I don't see another way, but I'm sure of the following about filezilla, my filezilla password file has been hacked by a trojan and given to a third party pirate...
All my web site I'm taking care of have been hacked and the ONLY place where the hacker could find the password was coming from Filezilla where all the password where stored in this place and only in this place.
I'm using filezilla client 3.2.3.1 and the hacker inserted the following script on each on my html files :
....
document.write(unescape('pZ%3CscPr
.....
of my four web sites !!
So I think the policy of having the filezilla passwords into a uncrypted password is foolish !
After 15 years of computing, (and I'm a Win32 programmer), this is the first time I got hacked....
is there a way to overcome filezilla password from being hacked so easly ?
Thanks
It took me some time to investigate, but I don't see another way, but I'm sure of the following about filezilla, my filezilla password file has been hacked by a trojan and given to a third party pirate...
All my web site I'm taking care of have been hacked and the ONLY place where the hacker could find the password was coming from Filezilla where all the password where stored in this place and only in this place.
I'm using filezilla client 3.2.3.1 and the hacker inserted the following script on each on my html files :
....
document.write(unescape('pZ%3CscPr
.....
of my four web sites !!
So I think the policy of having the filezilla passwords into a uncrypted password is foolish !
After 15 years of computing, (and I'm a Win32 programmer), this is the first time I got hacked....
is there a way to overcome filezilla password from being hacked so easly ?
Thanks
Re: Password file has been hacked and used by a virus
Don't store passwords and most importantly, do not use Windows.
-
- 504 Command not implemented
- Posts: 6
- Joined: 2009-04-09 19:18
- First name: Alphonse
- Last name: Daudet
Re: Password file has been hacked and used by a virus
Thanks , first part of the reply can apply ... bu could you remember alll your passwords ?? Me not, sorry...Don't store passwords and most importantly, do not use Windows.
Second related to windows, can definitively not apply...
Why not crypting this file using 1024bit key ?
The files are stored here :
C:\Documents and Settings\Administrator\Application Data\FileZilla
plain clear !
into sitemanager.xml !!
even the one that are used for SSL accounts.
Al discussion has taken place here :
http://unsharptech.com/2008/05/20/filez ... plaintext/
I think this is a pity beause filezilla is really excellent !
Regards,
Thx
Re: Password file has been hacked and used by a virus
Easy. Open Explorer. Right-click on FileZilla's settings directory and enter the properties. There you can enable encryption.
-
- 504 Command not implemented
- Posts: 6
- Joined: 2009-04-09 19:18
- First name: Alphonse
- Last name: Daudet
Re: Password file has been hacked and used by a virus
yes Ok, but if the virus has acquired the same priviledges as me, it will not help ... (?)botg wrote:Easy. Open Explorer. Right-click on FileZilla's settings directory and enter the properties. There you can enable encryption.
Thanks
Re: Password file has been hacked and used by a virus
Let's assume all passwords are encrypted. Malware just waits till you connect to the server and then captures the password from memory. Protection gained by the encryption: None.
Re: Password file has been hacked and used by a virus
Enable kiosk mode 1 (no passwords stored in FZ) and use a software like KeePass to store your passwords (of course on a different machine not connected to the internet).
Don't surf the internet with an administrator account.but if the virus has acquired the same priviledges as me, it will not help ... (?)
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
- 226 Transfer OK
- Posts: 392
- Joined: 2008-12-30 10:30
- First name: John
- Last name: Ratliff
- Location: In a small white padded room.
Re: Password file has been hacked and used by a virus
Is KeePass like kwallet or something? I don't use Windows much these days. Does it work with FileZilla?boco wrote:Enable kiosk mode 1 (no passwords stored in FZ) and use a software like KeePass to store your passwords (of course on a different machine not connected to the internet).
Administrator accounts are evil, but at times they are a necessary one. Some programs simply don't run without full access. Stupid programmers from the pre-multi-user windows environments used to full access accounts. UAC is not great, but I think it's a decent compromise. Microsoft has to be pragmatic. They can't afford to throw away the wondrous Windows backwards compatibility.boco wrote:Don't surf the internet with an administrator account.but if the virus has acquired the same priviledges as me, it will not help ... (?)
Even if he was using a limited account, his privileges would certainly extend to his password file. If he couldn't read them at his privilege level, then he could never make use of them. Granted there are much more serious consequences to a virus running as admin...
http://jdrrant.blogspot.com/ - CODEpendent Blog
Re: Password file has been hacked and used by a virus
Then simply don't use such programs. There are many alternatives.Some programs simply don't run without full access
-
- 504 Command not implemented
- Posts: 6
- Joined: 2009-04-09 19:18
- First name: Alphonse
- Last name: Daudet
Re: Password file has been hacked and used by a virus
Ok,
Now I got the final word about this case.
All my web site were hacked due to FTP passwords that have been grabbed by a Trojan.
The process is very well explain here :
http://malware-web-threats.blogspot.com ... us-p5.html
I got infected by this :
http://www.symantec.com/security_respon ... 18-1009-99
A simple hack tool and a keyboard logger...
It took ALL the filezilla the passwords and they were sent to Russia (FTP log showed that the machine was running from Russia when it got the access of my web server (no brute force), and my PC was OFF at that time.
Despite I have ESET nod32 AND spybot BOTH enabled (resident protection) -> they both failed !
I was relying too much on these tools!
My mistake was that Acrobat Reader embedded to Firefox was too old and exploit has been used .
I'm amazed how easy it is for these hack tool to get everything they want.
I'm considering using a account with a basic user privilege to surf on the web... good idea.
But if also filezilla could improve the way of hiding the password, it would make more difficult the life's of those hackers.
To grab the password from memory ....hummm... I think this is far more difficult compared to grab a file located here :
C:\Documents and Settings\Administrator\Application Data\FileZilla
Also the password can be grabbed from the TCPIP packet before it goes to the NIC ,I know this... (except SSL/SSH used)
.... I'm a programmer also (>1Million line code)... So I'm aware
In 15 years of active PC usage, this is the first time I got hacked like that... I have of course changed all the passwords...
Not nice definitively...
Rgds,
Al.
Now I got the final word about this case.
All my web site were hacked due to FTP passwords that have been grabbed by a Trojan.
The process is very well explain here :
http://malware-web-threats.blogspot.com ... us-p5.html
I got infected by this :
http://www.symantec.com/security_respon ... 18-1009-99
A simple hack tool and a keyboard logger...
It took ALL the filezilla the passwords and they were sent to Russia (FTP log showed that the machine was running from Russia when it got the access of my web server (no brute force), and my PC was OFF at that time.
Despite I have ESET nod32 AND spybot BOTH enabled (resident protection) -> they both failed !
I was relying too much on these tools!
My mistake was that Acrobat Reader embedded to Firefox was too old and exploit has been used .
I'm amazed how easy it is for these hack tool to get everything they want.
I'm considering using a account with a basic user privilege to surf on the web... good idea.
But if also filezilla could improve the way of hiding the password, it would make more difficult the life's of those hackers.
To grab the password from memory ....hummm... I think this is far more difficult compared to grab a file located here :
C:\Documents and Settings\Administrator\Application Data\FileZilla
Also the password can be grabbed from the TCPIP packet before it goes to the NIC ,I know this... (except SSL/SSH used)
.... I'm a programmer also (>1Million line code)... So I'm aware
In 15 years of active PC usage, this is the first time I got hacked like that... I have of course changed all the passwords...
Not nice definitively...
Rgds,
Al.
-
- 226 Transfer OK
- Posts: 392
- Joined: 2008-12-30 10:30
- First name: John
- Last name: Ratliff
- Location: In a small white padded room.
Re: Password file has been hacked and used by a virus
Typical botg response. If my computer were slow, you'd be offering me a nickel.botg wrote:Then simply don't use such programs. There are many alternatives.Some programs simply don't run without full access
They hacked your machine when it was off? That's amazing.It took ALL the filezilla the passwords and they were sent to Russia (FTP log showed that the machine was running from Russia when it got the access of my web server (no brute force), and my PC was OFF at that time.
A programmer, eh? And FileZilla is open source...Also the password can be grabbed from the TCPIP packet before it goes to the NIC ,I know this... (except SSL/SSH used)
.... I'm a programmer also (>1Million line code)... So I'm aware
http://jdrrant.blogspot.com/ - CODEpendent Blog
Re: Password file has been hacked and used by a virus
alphonse777, you sound like an irate user. Take a break for a few weeks to calm down. Then come back here and think about my arguments. If malware is running on your system, no amount of obfusction or encryption helps, malware simply waits silently until you decrypt the data.
I am not using any firewalls, virus scanner or other malware detection utilities. The difference is that I know how to properly configure my systems and spend much time keeping them ALL up-to-date. And I simply don't use products with known unpatched vulnerabilities.
Of course they failed, you are running expensive snake oil.Despite I have ESET nod32 AND spybot BOTH enabled (resident protection) -> they both failed !
I am not using any firewalls, virus scanner or other malware detection utilities. The difference is that I know how to properly configure my systems and spend much time keeping them ALL up-to-date. And I simply don't use products with known unpatched vulnerabilities.
- Free FTP Love
- 500 Command not understood
- Posts: 2
- Joined: 2008-12-04 13:15
- First name: K
- Last name: Jones
- Location: USA est
my wordpress has turned to mush
Hi, I'm suffering from the exploit too. I have several sites in a mess right now. Is the best thing for me to do to change all the passwords and then make sure not to store them on my filezilla program? That's what I will be attempting to do during this next week.
I really like filezilla. I'm not very smart about most of what has been mentioned in this thread.
I have been using file zilla since 2006. I updated my program on this PC this week. I thought it might help, but, I spent hours working to reverse damage this evening, only to fail....
I did not know about the password storage "issue". Thanks for the guidance on that. Also, I am unsure how on earth did the viral jerks nest inside of my PC. I have downloads disabled, and I'm very careful and particular about what I (knowingly) let visit my hard drive.
OMG, I have sooooo much cleaning up to do. (cries eyes out)
Can you advise me how to STOP such intrusions in the future?
PS, if anyone here is a member of digital point, I need a small favor, if you please. Thanks (sorry off topic there)
I really like filezilla. I'm not very smart about most of what has been mentioned in this thread.
I have been using file zilla since 2006. I updated my program on this PC this week. I thought it might help, but, I spent hours working to reverse damage this evening, only to fail....
I did not know about the password storage "issue". Thanks for the guidance on that. Also, I am unsure how on earth did the viral jerks nest inside of my PC. I have downloads disabled, and I'm very careful and particular about what I (knowingly) let visit my hard drive.
OMG, I have sooooo much cleaning up to do. (cries eyes out)
Can you advise me how to STOP such intrusions in the future?
PS, if anyone here is a member of digital point, I need a small favor, if you please. Thanks (sorry off topic there)
Last edited by Free FTP Love on 2009-04-12 13:44, edited 1 time in total.
save until later
Re: Password file has been hacked and used by a virus
I cannot read your reply. Please use an even bigger font, maybe it will become so large that eventually it wraps around to be legible again
Why can people not spell FileZilla correctly? Did Zombie Jesus eat your brains?Free FTP Love wrote:file zilla
- Free FTP Love
- 500 Command not understood
- Posts: 2
- Joined: 2008-12-04 13:15
- First name: K
- Last name: Jones
- Location: USA est
Re: Password file has been hacked and used by a virus
OUCH! okay, i removed the size. SORRY!botg wrote:I cannot read your reply. Please use an even bigger font, maybe it will become so large that eventually it wraps around to be legible again
Why can people not spell FileZilla correctly? Did Zombie Jesus eat your brains?Free FTP Love wrote:file zilla
I DID SPALE IT CORRECTLY at least once. jeeez.
Did Jesus eat your compassion?
.........
EDIT
PS. You sent me a warning about font size? Seriously, the font looked okay on my screen. Thanks.
save until later