Posts
23 Sep 09 Filed in Tips and Tricks This year, most successful malware attacks against legitimate websites used stolen FTP credentials. I always suggest that you don’t store passwords in your FTP programs where they are easily accessible by any program running on your computer (including malware). For example, in FileZilla, FTP passwords are stored as plain text in configuration files. And FileZilla is not the only FTP client malware authors target in their hunt for website credentials.
In the recent post about Quicksilver malware network, you can read that the trojan behind the infamous iframe injection attack “looks for all kinds of configuration files of ftp programs in their default install paths“. I contacted the researcher and asked if he had a full list of the FTP clients this malware looks for.
The list looks trustworthy. The same FTP programs can be found on the screenshot of a trojan code from Kaspersky’s article (in Russian) about the same attack.
So what if you are using one of these FTP client?Keep using it. Just don’t save your passwords there. Enter passwords every time you connect to remote servers. Or invest some time to read your program’s documentation and find out what they can offer to security-minded webmasters. Some clients support public key authorization, some offer encrypted site managers, etc.
Just to be on the safe side, scan your computer for malware. Then scan your site for signs of break-ins (you might want to start with Unmask Parasites checks). If you have any suspicion, change all passwords ASAP.
And don’t think if you are using some other FTP client you can safely store your passwords in it. There may be another trojan that specifically targets your favorite program.
Move to secure file transfer protocols.BTW, in my previous post you could see a link to an article about another trojan that sniffs FTP traffic and steals credentials. If you use FTP, you can’t hide your passwords from this trojan – FTP protocol doesn’t support any encryption.
The answer to this problem is secure protocols: like SFTP or FTPS. Most FTP clients support these protocols, so you don’t need to find a new program. However, if you are on a shared server, make sure that your hosting plan includes any of these secure protocols.
Similar posts:
Beware: FileZilla Doesn’t Protect Your PasswordsQuicksilver Malware NetworkIntroduction to Website Parasites If you need my help to resolve your site security issues, you can request it here.Tags: FileZilla FTP password « Tweet Week: Sept 14-20, 2009 “Cheap Vista” or Cloaked Spam on High-Profile Sites » Reader's Comments (20)
UnderForge of Lack » Blog Archive » 2009.09.25 金曜日 | 25 Sep 2009 12:11 am [...] 今年の大規模なFTPアカウント情報(credentials)の漏洩を受け、私は FTP [...]
[Security] 10 FTP Clients Malwares Bet Their Money On | Technofriends | 25 Sep 2009 3:17 am [...] is a list of 10 FTP Clients, Malwares are betting upon to get your userid and [...]
MyBlog « myBlog | 01 Oct 2009 5:18 pm [...] http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/ http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/ Comments (0) [...]
typedeaF | 02 Oct 2009 3:41 am Very useful. I will include this in our customer support documentation.
-Chad
Chris | 02 Oct 2009 11:02 pm Thank you!
My hosting, HOSTGATOR, gave me this link. My website got infected several times. When I visited my site, my PC got infected. Imagine the users/public!
These malicious people who create such malware should be in jail the rest of their life.
Thanks for the info.
Rajiv Doshi | 16 Oct 2009 9:15 pm Besides FTP there are other options such as Accellion which uses SSL which provide more security for file transfer.
Rajiv Doshi, Social Media Marketing Manager,
Denis | 17 Oct 2009 11:18 am Rajiv,
Is it different from FTPS?
Blog Tuna Deusto » infectado por un malware fopsl.cn | 31 Oct 2009 12:32 am [...] y también esta otra de unmaskparasites http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/ [...]
tom | 10 Nov 2009 6:25 pm probably unintentionally, this article creates the impression that switching to secure ftp will help with this problem – it won’t!
if your computer is compromised and sending your ftp credentials to “the bad guys”, using secure ftp is only locking the barn door after the horse is long gone.
step 1 should be: kill the trojan! unless your computer is secured, it will send them off, no matter which protocol you use.
step 2 should be: don’t store ftp credentials on your computer. see number 1!
switching to secure ftp protocols is a good, but entirely different, subject.
Denis | 10 Nov 2009 10:32 pm Probably unintentionally, this comment creates the impression that reading articles before commenting is not necessary ;-)
step 1 should be: read the blog post
step 2 should be: if you didn’t read the post, see #1.
The post says, that webmasters should remove malware from their computer and then change passwords and keep them secure.
Secure protocols were mentioned as a best practice since there are (other) trojans that sniff FTP traffic.
Anyway, your comment is absolutely correct. Thanks.
Austin | 21 Jul 2010 6:37 pm Thank you Tom……..This is what I thought, but too many posts lead you to belive that simply switching to secure ftp solves the problem.
Sobre malwares, clientes FTP y Google at Webnova – Recursos Webmaster | 16 Nov 2009 2:40 pm [...] que alguien tenía los datos de mis conexiones. Sigo investigando y el problema radica en que los perfiles de cuentas o credenciales de los clientes FTP son perfectamente "robables". O sea hay troyanos que se instalan en tu PC y que envían toda esta información de [...]
Juan | 18 Nov 2009 8:22 pm I’m using WinSCP, it encrypts stored sessions by using a master password. Much more secure than Filezilla.
Malware suite et fin « Documentation Mainframe | 27 Dec 2009 11:55 pm [...] Merci aux sympathiques twittos qui m’ont conseillés sur twitter, au final j’ai fait une réinstalle de mon OS, un scan complet, modifié mon password FTP et maintenant je ne conserve plus en mémoire mes identifiants/password dans mon client FTP, en effet ils sont lisibles en dur dans un fichier XML, je ne le savais pas, le malware si! Lire à ce sujet cet article très intéressant. [...]
SiriuS | 06 Jan 2010 10:21 am Total Commander 7.50 uses Master password to encode its FTP passwords.
Tiborlil | 11 Jun 2010 10:58 pm We had 22 websites hacked a couple days ago… Some of them were not backed up. Thank you SmartFTP, and goobye (your queuing system sucks anyway). Thanks to Text Workbench we managed to delete the injected js in all html, php and js files ; and re-uploaded using filezilla. Unfortunately it crashed a couple times – does not like huge amounts of data- so I ended here. I’m trying WS FTP from ipswitch, apparently they have a secure encryption built in. Without support it’s not that expensive (just a tad more than smartftp).
Sere | 27 Jul 2010 9:02 pm Wow, good to know! When transferring confidential data, you really should be using a managed file transfer software instead of P2P or FTP. Thanks!
Mike | 20 Aug 2010 11:13 am You may add SPEEDCOMMANDER to the list.
I used that soft for FTP and store some passwords in it – exactly these sites got hacked two days ago….
The Trojan stealing the info from my PC was Agent.biiu , which seems to have a good system to hide against Avira….
Leonardo Musumeci » Blog Archive » Programmi inutilizzati – minacce reali | 16 Apr 2011 9:19 am [...] li ho indirizzati al mio post, dove avevo descritto come il malware rubasse le password e tutti i dettagli dei login memorizzati nei 10 client FTP più popolari (es. Filezilla, CuteFTP, [...]
Is Your WordPress Website Distributing Malware in Google Image Search? | WordPress News at WPMU.org | 10 May 2011 1:44 pm [...] Your FTP password is not safe sitting around in FileZilla or any number of other FTP programs. In FileZilla, for example, password are stored as plain text. This makes them accessible by any malware that is running on your computer. You could try a secure FTP program like WinSCP. [...]
About this blogOccasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
This blog in the news
Get free updates: RSS Email Twitter G+
Recent PostsThe Crocodile Hunter Meets Badware in the Wild Malicious Apache Module Injects Iframes RFI: Server-wide iframe injections RunForestRun Now Encrypts Legitimate JS Files What’s in your wp-head? Millions of Website Passwords Stored in Plain Text in Plesk Panel Runforestrun and Pseudo Random Domains CategoriesGeneral (19)Hosting+Security (5)Short Attack Reviews (13)Tips and Tricks (14)Tweet Week (83)Unmask Parasites (12)Website exploits (78)Recent CommentsDIY malicious domain name registering service spotted in the wild « Webroot Threat Blog – Internet Security Threat Updates from Around the World on Lorem Ipsum and Twitter Trends in MalwareHans Bonini on Runforestrun and Pseudo Random DomainsAgain with the “Wordpress Isn’t Secure” Meme | All Things Cahill on Careless Webmasters as WordPress Hosting Providers for SpammersDealing with WordPress Malware | Sucuri Blog on Malicious Apache Module Injects IframesCode obfuscation « ..::Mendel's Weblog::.. on Runforestrun and Pseudo Random DomainsadvertisementHas your website been hacked?We're here to help you get back up and running with minimal downtime! Call us now at 1-800-639-6442
www.HackRepair.com © Unmask Parasites. Blog. / Design: Smashing Wordpress Themes View the Original article
0 comments:
Post a Comment