1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using Filezilla? Be carefull for hackers

Discussion in 'BlackHat Lounge' started by george3000, Mar 18, 2009.

  1. george3000

    george3000 Newbie

    Joined:
    Oct 13, 2008
    Messages:
    47
    Likes Received:
    13
    Yesterday, some of my autoblogs got hacked. I found my index.php rewritten as a redirect to the hacker's webpage, which is an infected webpage trying to install a trojan.

    This is what happened: the account-details (FTP username and password) of the hacked blogs were stored in the memory of the FTP-client I use which is Filezilla.

    I read on forums that Filezilla doesn't encrypt the stored passwords, which makes it easy for hackers to lay their hands on. Probably I had some trojan on my pc which extracted these account-details and send them to the hackers.

    I know you probably think that I should protect myself against trojans, but lately I hadn't heard any bells or whistles from my antivirus-software, so I didn't know there was something malicious going on under the hood of my computer.

    Luckily the hackers only modified the index.php file, so I didn't loose my databases and other stuff. I could easily fix the problem by replacing the index file by the original, but it could be much worse.

    So don't use Filezilla, or at least don't store your passwords in this FTP-client.
     
    • Thanks Thanks x 1
  2. thefallendevelopment

    thefallendevelopment Junior Member

    Joined:
    Aug 19, 2008
    Messages:
    170
    Likes Received:
    161
    Occupation:
    Crankin out sites
    Location:
    In the Caddy Shack
    Haven't heard of this. Thanks for the heads up! I'll look around some to see what i can find about this...maybe there's something that can be done to prevent things like this.
     
  3. chickuzt

    chickuzt BANNED BANNED

    Joined:
    Apr 19, 2008
    Messages:
    112
    Likes Received:
    97
    Databases, watch out they could have put some injections in there as backdoors. This is so they can get access to your site again once you change the index or whatever back. So I suggest you rollback to an earlier database backup.

    What is your site? I am well connected and your DB might be selling on the blackmarket.:(
     
  4. autosurf23

    autosurf23 Registered Member

    Joined:
    Feb 24, 2009
    Messages:
    50
    Likes Received:
    2
    thnx for the heads up
     
  5. foxler

    foxler Regular Member

    Joined:
    Mar 7, 2008
    Messages:
    279
    Likes Received:
    159
    To tell you the truth, im pretty sure they came in through your webhost or website. If your av software is not telling you, that you have any bad stuff on your pc then it's more likely that there is some vulnerable file either on your own hosting account (old plugins, php script) or they got in directly through another persons account (if its a shared host) and were able to edit your index.php because it was chmodded to 777.

    Who's your hosting provider n what plugins are you running?

    I've been using filezilla for a long time now and have never had a problem since i switched. If you think someone went through the trouble of getting in your system to just steal an ftp password, then I think you better be watching for your other email accounts and any other passwords that are stored on your pc (including all ff saved passes) because if they did get the passes from filezilla (which I doubt they did) then your whole system is vuln to keyloggers, net sniffers, and a lot more right now.
     
  6. tsanko

    tsanko Senior Member

    Joined:
    Aug 9, 2008
    Messages:
    833
    Likes Received:
    1,038
    Home Page:
    I use Filezilla and has the same problem, but think it`s from hosting.
     
  7. The Joker

    The Joker BANNED BANNED

    Joined:
    Apr 8, 2008
    Messages:
    308
    Likes Received:
    152
    another reminder to all peeps is to back up all ya shit if ya haven't especially on ya server
     
  8. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,127
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
  9. moromete

    moromete Junior Member

    Joined:
    Jul 19, 2008
    Messages:
    183
    Likes Received:
    150
    It's not from filezilla and not from the hosting. It's a trojan that scans your pc and for every ftp account and injects an iframe in every index.php files.
    I had the same problem, over 60 websites, but fixed the problem in 1 hour.

    I used bitdefender as antivirus..and it's not good. I tried and bought kaspersky and it's perfect now.

    The trojan get's you when you visit some warez websites.So i got mine ..

    Use an ftp manager that let's u password protect and encrypt data !
     
    • Thanks Thanks x 1
  10. tsanko

    tsanko Senior Member

    Joined:
    Aug 9, 2008
    Messages:
    833
    Likes Received:
    1,038
    Home Page:
    I use Kaspersky but doesn`t helps me :(
     
  11. dvdcowboy

    dvdcowboy Junior Member

    Joined:
    May 10, 2008
    Messages:
    188
    Likes Received:
    39
    I use ubuntu linux.
    Haven't had any problems since I kicked windows to the curb.
     
  12. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,127
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    yep... linux is the way to go if you want to be secure.
    other than that, get a mac. hee! hee!
     
  13. proxyprincess

    proxyprincess Newbie

    Joined:
    Aug 2, 2008
    Messages:
    39
    Likes Received:
    636
    same here I use linux aswell .
    I also only used flash fxp when I used winblows if you want a copy just pm and ill get ya a good one.:)
     
  14. george3000

    george3000 Newbie

    Joined:
    Oct 13, 2008
    Messages:
    47
    Likes Received:
    13
    My host for these blogs is one.com (yes I know, worst buy ever for blackhat-purposes, but I'm waiting till my account expires before switching to another host)

    I use quite a lot of plugins, but I doubt that would be the problem.

    I'm not really concerned about my DB being sold on the blackmarket. It consists mainly of auto-generated content, so I don't worry about that. Thanks anyway.

    Well, that's exactly the same as what I experienced myself. Every index.php file was injected with an iframe. Even the wp-admin/index.php had to be repaired. Thanks for clearing this out. Any idea what the name of that trojan?

    And to those who suggest to use Linux or Mac: I use too many applications that won't run on these OS'es, so that's not an option. But thanks anyway for trying to help.
     
  15. jake3340

    jake3340 Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 20, 2008
    Messages:
    1,368
    Likes Received:
    414
    Location:
    Pluto
    Reason I always delete strange looking processes when I start my PC.
     
  16. phlatz

    phlatz Newbie

    Joined:
    Dec 19, 2008
    Messages:
    4
    Likes Received:
    1
    Occupation:
    What job? jk... but serious
    Location:
    The city of SIN
    wow! good looking out!
     
  17. moromete

    moromete Junior Member

    Joined:
    Jul 19, 2008
    Messages:
    183
    Likes Received:
    150
    I forgot the name of the trojan, you can find more about this at blog.unmaskparasites.com/2009/01/14/gogo2me-hidden-iframe-injection/

    Use a good antivirus, and anti spyware together, i use a-squared Anti-Malware.Do not rely only on antivirus to detect trojans and spywares. If you download warez ..scan it with an antivirus and antispyware , even of your anitvirus is set to real time protection.
    Always have a anti trojan cleaner ready on your computer - Trojan Remover.

    That's it ... and don't forget to encrypt your ftp stored accounts.

    Or ..if you want to be 100% protected, use an usb stick with an portable ftp software..
     
  18. Mage

    Mage Junior Member

    Joined:
    Jan 31, 2008
    Messages:
    150
    Likes Received:
    18
    By any chance is your hacker anti-american? I think in my case it was the hosting. Only one hosting account was affected and all the blogs with PR at least 2.