Results 1 to 15 of 15
  1. #1
    Member
    Join Date
    October 7th, 2007
    Location
    iowa
    Posts
    50
    WARNING - don't store passwords in FTP programs
    ABW community -

    Just wanted to alert the community that anyone who uses FTP programs and stores their FTP password in their FTP program is in for a world of hurt. The last two weeks have exploded with vunerability issues through a trojan virus that simply takes your password from your FTP program and inserts an Iframe that shows up usually on index pages of your website. (More commonly known as the html/iframe virus).

    I used Filezilla for work, home and a satellite office and am experiencing problems with all three. What happens is when you make changes to your website, if you have a good antivirus installed, the next time you bring your site up it will indicate that you have a virus. On top of that, if someone does a Google search, Google will flag it as infested with a virus. You then have to remove the virus, and request Google to unflag you.

    Read about Filezilla here, these are recent posts in the LAST FEW DAYS:

    http://www.000webhost.com/forum/cust...ompromise.html AND HERE

    http://www.000webhost.com/forum/cust...ompromise.html

    If the infected files are on your webhost, the recommendation is to download them and clean them. I deleted Filezilla, did some virus scanning and then simply uploaded my site over the site online. It seemed to work. I have been training myself to use Dreamweaver, and they have a box to uncheck for save passwords - I can FTP right within the program...even better is to SFTP the site, but not everyone has luck with that working - I am not clear on SFTP, you probably still have to input your password everytime.

    I am more of a Level 1 tech person at work, so I do not claim to be an expert, but the easiest thing you can do now is just DON'T STORE PASSWORDS IN FTP PROGRAMS!

    -Sweet Iowa

  2. #2
    Member
    Join Date
    October 7th, 2007
    Location
    iowa
    Posts
    50
    One more tip - it is recommended that you immediately change your passwords to your website if you were infected....

    Also, some FTP programs don't give you the choice of storing or not storing passwords, I think FileZilla falls into the category of you have no choice but to not store it. I don't want to bash FileZilla - they have created an excellent product, so please review these details for yourself....yes it will be a hassle to always type a VERY secure password in - but staring at a virus-infected website is nausea-creating...

    Hope someone benefits from this info!

    -Sweet Iowa
    Last edited by sweetiowa; June 25th, 2009 at 02:08 PM. Reason: more info added

  3. #3
    The Seal of Aproval rematt's Avatar
    Join Date
    November 19th, 2006
    Location
    The Windy City
    Posts
    4,140
    Thanks for the info and warning sweetiowa. I read about this somewhere yesterday and just ignored it, your post made it a little more urgent.

    Unfortunately FileZilla requires a stored password if you use their Site Manager for automated connections which means that I'll need to find a new client.

    -rematt
    "I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant." - Richard Nixon

  4. #4
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    Did some looking around and can't see how a password stored in WS_FTP could give anyone access to my sites unless my PC is compromised. I'm not ready to type in passwords for many accounts until I see more. There are multiple ways a site could be hacked.


  5. #5
    Full Member gamweb61's Avatar
    Join Date
    January 17th, 2005
    Location
    Daytona Beach, Florida
    Posts
    203
    Filezilla can be installed with a "Secure" mode which means that passwords will not be stored.

    Are we certain that this thread is not just a rant against Open Source (free) software products?

  6. #6
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Excellent advice. A lot of high-profile websites have been hit because their FTP passwords have been harvested.

    I am not 100% certain that FileZilla is to blame, but remember that FTP credentials are transmitted in plaintext and are easy to sniff, either through a trojan on the PC or perhaps even a compromised router.

    If your website is your livelihood, then it's worth considering getting a machine just for doing your work and NOTHING ELSE.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  7. #7
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    OK I couldn't get this thread out of my mind and so did a little more digging. There is a lot out there about the insecurity of ftp, and so am making a couple of changes to be safer.

    For a while I'll give up my 5 year old version of WS_FTP Pro and go with the latest version of FileZilla 3.2.5

    My server is Pure-FTPD and I configured it for TLS Encryption Support Required. That made my old FTP client obsolete as it won't support that. I configured FileZilla for FTPES-FTP over explicit TLS/SSL and now connected fine.

    It allows you to pick remembering login info but for now there are to many passwords to type in each time. If some tech gurus convince me that can change, but for now I'm hoping this updated encryption will be enough.


  8. #8
    http and a telephoto
    Join Date
    January 18th, 2005
    Location
    NYC
    Posts
    17,708
    The current versions of WS_FTP Pro have secure connections available.
    Deborah Carney
    TeamLoxly.com BookGoodies.com ABCsPlus.com

  9. #9
    http and a telephoto
    Join Date
    January 18th, 2005
    Location
    NYC
    Posts
    17,708
    I am not 100% certain that FileZilla is to blame, but remember that FTP credentials are transmitted in plaintext and are easy to sniff, either through a trojan on the PC or perhaps even a compromised router.
    If that is the case, how does not storing them locally help? And with WS_FTP Pro they are encrypted on my computer, I can't even see what they are.

    I think old software is more the culprit than whether you let the program remember the password... and how it is transmitted.
    Deborah Carney
    TeamLoxly.com BookGoodies.com ABCsPlus.com

  10. #10
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Quote Originally Posted by loxly
    If that is the case, how does not storing them locally help? And with WS_FTP Pro they are encrypted on my computer, I can't even see what they are.

    I think old software is more the culprit than whether you let the program remember the password... and how it is transmitted.
    There are two issues - one is that the passwords can be sniffed across the network (whether stored locally or not). That definitely seems to be a common current attack.. the malware is running somewhere in the network stack and reports back any FTP credentials it sees.

    The other one (which I think is more a theoretical threat) is that malware could read the stored FTP passwords in your applications (I guess not just FileZilla, could be DreamWeaver or whatever). Even if the application stores the passwords in an encrypted format, it is possible to decrypt them with enough knowledge. I haven't seen any confirmed cases of this, but there is a LOT of malware about and it is something you should be wary of.

    It isn't absolutely clear how this malware is getting onto victim's PCs in the first place. People are reporting that they have current anti-virus and fully patched systems. It's most likely a drive-by download from another infected site. Some of these might be custom written just for a single infected site to avoid detection.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  11. #11
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    Quote Originally Posted by Dynamoo
    There are two issues - one is that the passwords can be sniffed across the network (whether stored locally or not). That definitely seems to be a common current attack.. the malware is running somewhere in the network stack and reports back any FTP credentials it sees.
    From Wikipedia:
    This is a problem common to many Internet protocol specifications written prior to the creation of SSL, such as HTTP, SMTP and Telnet. The common solution to this problem is to use either SFTP (SSH File Transfer Protocol), or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP as specified in RFC 4217.
    I think for me the solution has to be knowing my FTP server which is Pure-FTPD. I went into WHM and set the TLS Encryption to "Required" instead of the default "Optional".
    I forgot about GAN sending me links by ftp and that failed this morning so back to "Optional".

    Quote Originally Posted by loxly
    The current versions of WS_FTP Pro have secure connections available.
    Transport Layer Security (TLS) is supposed to be more advanced than SSL and it's what my ftp server uses. I can't find any reference to it in the WS_FTP support for the latest version so upgrading is not an option for me.

    I'll be able to use TLS with FileZilla for all my own ftp work, but will still have the risk of letting GAN ftp unencrypted.


  12. #12
    ABW Ambassador 2busy's Avatar
    Join Date
    January 17th, 2005
    Location
    Tropical Mountaintop
    Posts
    5,636
    There is a long but very detailed discussion on this situation at http://www.google.com/support/forum/...2c01bb78&hl=en and they say it does not matter whether you store passwords in your FTP client or not. The discussion is specifically in relation to an apparent corruption of the Google Analytics code, but it has nothing to do with GA and affects sites with or without GA. An Adobe exploit is suspected as one possible means of the trojan delivery.

    The trojan that does the dirty deeds seems to be a drive by download or Adobe exploit that transmits passwords as they are used, so whether stored or not, it will detect them if not encrypted and send the info back to the Ukraine. One single IP there seems to be the bad guy here and they appear to have an automated setup that takes the detected login info and uses it to upload an iframe. The iframe is added to only a few files such as index.php found everywhere and won't infect more specific pages like bluewidgets.php. The iframe has malicious code that redirects visitors for further spread.

    The trojan needs to be on your machine or on another PC on your unswitched network to steal passwords. If you are using a switched router for your network it can prevent the packet sniffing via another PC, but an unswitched network hub can allow packet sniffing of passwords even transmitted from a Mac if there is a PC on that network that is infected. The discussion is as new as today and has far more details. Last read that it is affecting about 40,000 sites, one of them being a "Google-Cash" site (that brought some cheers to see it shut down).

  13. #13
    ABW Ambassador Rehan's Avatar
    Join Date
    November 3rd, 2006
    Location
    Toronto
    Posts
    536
    Thanks for posting this...I think it explains how one of the sites on my server was compromised (not my site, just one for a student group that I give web space to).

    The site uses the Joomla CMS and it ended up added the iframe to hundreds of index.html/index.php files! It's very messy to clean up...
    --

  14. #14
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Quote Originally Posted by 2busy
    There is a long but very detailed discussion on this situation at http://www.google.com/support/forum/...2c01bb78&hl=en and they say it does not matter whether you store passwords in your FTP client or not. The discussion is specifically in relation to an apparent corruption of the Google Analytics code, but it has nothing to do with GA and affects sites with or without GA. An Adobe exploit is suspected as one possible means of the trojan delivery.
    Yes, the trojan often hides itself as fake Google Analytics code, but with a mis-spelled domain. GA has not been compromised.

    The trojan that does the dirty deeds seems to be a drive by download or Adobe exploit that transmits passwords as they are used, so whether stored or not, it will detect them if not encrypted and send the info back to the Ukraine. One single IP there seems to be the bad guy here and they appear to have an automated setup that takes the detected login info and uses it to upload an iframe. The iframe is added to only a few files such as index.php found everywhere and won't infect more specific pages like bluewidgets.php. The iframe has malicious code that redirects visitors for further spread.
    Acrobat exploits are very common - it is extremely important to make sure that your machine is up to date. Some of these latest attacks use Flash exploits too.. so you need to patch that as well.

    The trojan needs to be on your machine or on another PC on your unswitched network to steal passwords. If you are using a switched router for your network it can prevent the packet sniffing via another PC, but an unswitched network hub can allow packet sniffing of passwords even transmitted from a Mac if there is a PC on that network that is infected. The discussion is as new as today and has far more details. Last read that it is affecting about 40,000 sites, one of them being a "Google-Cash" site (that brought some cheers to see it shut down).
    Oooh... of course. I didn't think about switching. I have no idea if my home network switches or not, certainly almost all business environments do. I think some testing is in order!
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  15. #15
    Half a Bubble Off Plumb RemodelingGuy's Avatar
    Join Date
    June 1st, 2007
    Location
    Katy, Texas
    Posts
    3,250
    Quote Originally Posted by rematt
    Thanks for the info and warning sweetiowa. I read about this somewhere yesterday and just ignored it, your post made it a little more urgent.
    Ditto.

    I sent an email to my ISP and they told me I was covered.

    Funny thing is, I had to ask what my username and password was, it has been stored in my ftp program for so long.


    Jimmy McDonald - Your Local Hard Working RemodelingGuy ( & SprinklerGuy - & GarageGuy )
    StartRemodeling.com .... MySprinklerGuy.com .... MyGarageGuy.com ....
    We're Bettering YOUR Life by Improving Where YOU Live It ...
    Do What You LOVE & LOVE What You Do! ....

  16. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. ftp programs
    By gravitydex in forum WebMerge (Fourthworld.com)
    Replies: 14
    Last Post: December 20th, 2004, 03:05 AM
  2. Warning: Don't Step on the Ducks!
    By SandraR in forum Daily Chuckle
    Replies: 5
    Last Post: June 14th, 2004, 02:04 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •