HostOnNet Blog

FIleZilla FTP Software Is Insecure

I was checking through the MetaSploit framework, i found the exploit to hack FileZilla.

FileZilla store passwords in pain text in XML file. This was the same for years. I thought they had fixed it long back. I have not used FileZilla for long, i know clients getting hacked using FileZilla FTP client. I use FlashFXP FTP client when i am on Windows, it have a master password, that will encrypt the passwords. So even if your PC is infected, hacker won’t get passwords of all your web sites.

Here is an interesting post by a FileZilla user

It has happended to me. Tuesday this week my cell phone rang but I couldn’t pick it up that moment. When I checked to see who called me, I saw the number of my business partner on the display. He almost never calls me. I thought it was about our tax declaration being due, so I didn’t call back because I didn’t feel like talking about this topic. I then drove to my office.

In my inbox there was an email by our web host. It said something about suspected malware on our web space, which my business partner had reported. So that was why he tried to reach me… They said they could find any problem on our web space but asked me to check it anyway. So I did…

I first went to the web site presenting one of our products. Within seconds, my anti virus software bombared me with malware alerts and an unwanted file loaded itself down to my desktop. I downloaded the index.htm file using FileZilla to see what was going on. There was a block of cryptic code in it. And not only there, but in every HTML file of that web site! I reported to our web host that the site was obviously totally infected with malware. So much for them not finding a problem with it. But that’s a different thing.

Next web site I checked was our company web site: Same thing, malware all over. Meanwhile I answered some emails by upset customers reporting the issue. I also informed my business partner that I was already about to fix everything. We are also running a web forum for our products. Needless to say it was infect too, and so was our landing page for selling our product as well as some web sites still under construction.

Each and every of our web sites were totally contaminated with malicious scripts. Most infected files were HTML files, but certain other files were affected too, like .htaccess, .js, .tpl and sometimes .php files. Thank heavens I had a backup of most web sites, so I could just delete and reupload them. Before I did that, I did an extensive virus scan on my hard drive of course, just to make sure that any new FTP passwords I set would not be stolen again. All this took me hours.

Unfortunately, I did not have a backup of our company web site. That’s because I have wanted to revise it anyway for months and thus considered it to be more or less temporary and not worthy of being backed up. So I had to manually remove the malicious blocks of code from hundreds of files. I finished at 3 am and went to bed around 5 am, after a final check for viruses on my hard drive and a message to my business partner and a couple of customers telling them that all viruses had been removed.

I woke up with a terrible headache next day, but was glad that everything was alright again. Or that’s what I thought… By chance I found out that a private web site of mine was also infected! How could that be? It was hosted by a free web space provider having nothing to do with our business web site! It occurred to me that I used FileZilla to manage both our business web sites and my private one… But how exactly did the attacker steal my passwords? Maybe he was sniffing around my ports on transmission of the passwords between my machine and the remote server? No! Why not? Because I haven’t used FileZilla for several months, neither for our business web sites nor for my private one. All web sites were running fine, so there was no need for FTP. So there is only one answer: The hacker must have stolen the passwords from the XML files stored by FileZilla!

Anyway, it took me another entire working day to also repair my private web site. I finished around 2 am last night, so today I also woke up with a massive headache. Meanwhile I learned that FileZilla does in fact store server passwords in a plain text file without encryption. I also learned that people have been complaining about this for years, and that the developer was refusing to fix that issue. Well, after all, FileZilla is a free software. Free software? I think that in the past 48 hours, I have more than paid for it…

I am using anti virus software and I am regularly doing scans for malware on my machine. So what else can I do to get my system “properly secured”? I am telling you this story to make you think twice. For me, the scenario of FTP passwords getting stolen from FileZilla and an attacker uploading malicious code to one or more web sites using the stolen information is not something that COULD happen. It’s something that DID happen to me, and it wreaked havoc on both my business and my private life! I had to cancel business talks, postpone unpaid bills, put customer orders on delay, sacrifice my leisure time and more. Now I hope that the issue is fixed, but I will still have some very busy days clearing the backlog that I am now facing.

Source

This bug is reported 3 years ago. Still no fix. If your are using FileZilla FTP client, make sure you are not saving passwords.


Posted in Security