FileZilla Alert – Hacker Threat Through Trojan Virus

By Doogie   |   June 8, 2009   |   Copyright 2009 - All Rights Reserved

We have recently seen a number of issues posted in forums that are related to hacked web sites where it appears that a Trojan virus infecting a site owner’s PC may be sending FTP information to hackers. The common thread appears to be FileZilla. If you are using the FileZilla FTP utility, this is potentially a very serious threat to your web sites.

We have seen complaints posted from various shopping cart owners, blog owners and a wide range of web sites. It looks like hackers are gaining access to web sites using the web site’s actual FTP username and password. The common thread appears to be FileZilla. FileZilla stores FTP information in plain text in a XML file called filezilla.xml. Newer versions are supposed to ask during installation whether you want to store settings in an XML file or the Windows registry. The last new installation that I performed never asked. It simply stored the settings in a plain text file called sitemanager.xml, which is found in C:\Documents and Settings\Administrator\Application Data\FileZilla\. This is not the same as the registry, but it is a common place to store user settings. I am using the current version 3.2.6.1 and all of my passwords were stored in plain text in this file.

It appears that the root cause of the problem is one of several Trojan viruses that infect a site owner’s PC. These viruses look for files containing passwords, which they then send to servers run by hackers. When a hacker has your site’s FTP information, they have full access to your web site and can modify any scripts that they desire. Hackers frequently plant more viruses on your server, which infect user PCs.

It is possible that you have an older version of FileZilla that may use the filezilla.xml file. Do a search on your PC and look for this file. It is also possible that this file has been retained during upgrades to newer versions of FileZilla. If you have a newer installation, search for the file called sitemanager.xml. If you click on the file using Windows, it will open in your browser or you can view the file using Notepad.

How to Fix the Problem
The long term fix would be for FileZilla to encrypt all FTP passwords in the XML files using a strong encryption method. It was pretty foolish to NOT encrypt this information.

The quick fix is to delete all of the passwords stored with FileZilla. I know this can be a nuisance, but your web site’s security is at stake.

If you suspect that your PC may have been compromised due to a recent infection with a virus, make sure that the viruses has been eradicated and then change the web site FTP password in your server’s control panel.

Make sure that your PC is free from Trojans and viruses before you enter any passwords for access to any web site. Some viruses install keystroke loggers, which record your keystrokes and send them off to a hacker’s server, typically located in Russia or Romania. With a keystroke logger, nothing you enter using your keyboard is secure. These hackers are usually looking to gain access to victim’s bank accounts or PayPal accounts, but direct FTP access to web sites is the next best thing.

We will continue to research this issue and will post updates as we find more information. If you have additional information to share regarding this issue, please post it here.

More information about this exploit can be found in the FileZilla forums in a thread called Password file has been hacked and used by a virus.

About Doogie

Doogie is a tech evangelist who specializes in building WordPress sites and installing custom home theaters. He has been doing both since 2005.

20 Responses to FileZilla Alert – Hacker Threat Through Trojan Virus

  1. Grayson says:

    I found this file as well after the HTML Framer bugs compromised many of my site …. and continues to infiltrate. I only started using Filezilla a few weeks ago and the problem started soon thereafter. I recommend NOT using Filezilla

  2. Doogie says:

    Do not forget that the problem starts when your PC is compromised with a Trojan virus. There is a weakness with FileZilla, but the real weakness is with an unprotected PC.

    If you do not store passwords in FileZilla, you should not have a problem. I suspect that this issue will be addressed in the next FileZilla upgrade.

  3. JohnG says:

    The suppliers of FileZilla have said they are _not_ going to provide encrypted storage of your site passwords.

    It would be a very simple feature to add, and was in earlier editions.

    Maybe they have an ulterior motive. Maybe they are supplying you with a free program just so THEIR trojan can get your passwords! Makes me wonder. Perhaps you should ask yourself the same question.

  4. Doogie says:

    Hi John

    Where did they say that they will not provide encrypted passwords? Do you have a link? Encryption is simple enough to do, although even that is not absolutely foolproof any longer.

    The Trojan that I heard about sends a range of different files back to the culprits, so it is not just a FileZilla issue.

    If they are not going to fix this, the best advice that I can offer for FileZilla users is 1) do not store your passwords, and 2) make sure that you PC is protected with good anti-virus software.

  5. JohnG says:

    Doogie…

    Sorry for delay in responding, but I have been travelling…

    The developer “botg” mentions several times in his forum that he does not intend to offer password encryption in the following discussions.

    http://forum.filezilla-project.org/viewtopic.php?f=1&t=9543

    http://forum.filezilla-project.org/viewtopic.php?f=1&t=11003

    JohnG

  6. Doogie says:

    Hi John

    Thanks for the info. His responses are very disappointing and his solutions do not help the hundreds of thousands of people who are unaware of the password issue. It has always been common practice to encrypt passwords.

  7. Sherie says:

    I too have had an ongoing problem for probably 2+ months now with constant slams by trojans. I upload clean site pages (checked before upload). Within 12-48 hours, my index page is infected again, sometimes in an little as 10 hours. I immediately remove that one, upload a clean version and whammo – I get hit all over again.

    I’ve had to check my site 3-4 times daily so I can redo the index page, trying to stay one step ahead of the Google bots and the ‘harmful to your computer’ warning.

    Two things upset me most about this –

    1) Filezilla is terrible about replying to problem reports. They say on their site to report bugs immediately but nothing happens when you try to reach them. On the other hand, my host company (Green Olive Tree) has been wonderful to work with, always responding promptly and leaning over backwards to help. Still…FileZilla is MIA.

    2) That the Filezilla owners evidently know about the vulnerability and refuse to do anything about it, even though it is a simple fix. That is inexcusable to me.

    From what I’m reading here, these posts and proof links seem to validate my suspicions that the attacks are tied to FZ. The attacks always happen to my index page which we are sure are clean on upload. I think its time to drop FZ and switch to a company that respects their customers…at least responds to them when there is a problem.

    Appreciate everyone’s frank comments, links and information about FZ! It’s the most I’ve been able to find out although I have suspected for some time now that FZ was related to the problem in some way, shape or form. I just didn’t know how to investigate being a novice at this techy stuff.

    Thank you again and best of success to everyone who posted about this problem!

    Sherie

  8. Sherie says:

    Update from Sherie:

    Wanted to let everyone know that FileZilla finally DID reply to my support request:

    They reported as follows:

    - they dismissed my bug report
    - i should scan my own site
    - FileZilla has no problems with malware

    So there you have it folks. I’m changing FTP programs.

    Have a good day!

    Sherie

  9. Nick says:

    I just ran into this problem. I was using filezilla and had saved my password on 3 sites. All 3 sites infected. It is placing code in .jsp and .php files from what I can tell. the code was at the bottom on these pages and the ony way I figured it out is by looking at the log files. You have to remove the scripts from all the files or they overwrite your deletes. Dump filezilla – it is completely compromised.

  10. Jan van Niekerk says:

    I really really enjoyed reading this, since I see hundreds of HTML hacks per month on servers – and not confined to filezilla by any means. Thank you especially Sherie for your “insights”. We laughed and laughed and laughed. Long term fix is don’t run MS Windows, Outlook or MS Internet exploder, which opened the door for the evil programs that read the filezilla password file whenever you change it. However, this was unexpectedly entertaining – thank you again.

  11. Dooley says:

    Antivirus 2009 hit me over the weekend after I visited another designers site here in town. Ofcourse, I’ve been using FileZilla, but while I had some passwords in there, most of them are in my head.
    Change passwords, Find/Replace, ugh… what a waste of ten hours. They’re still not all clean either.
    I can’t believe this ftp client is storing my info in plain text. And I thought browsers were bad (want me to remember your password for you? I promise I won’t tell… too many…)
    Thanks for the article!

  12. Steve says:

    This is really a not a security issue. Quit being lazy and don’t save your passwords in your server settings. Erase private data after using Filezilla. Don’t blame the application.

  13. Lynn says:

    I have to agree with Steve here, although I’m not one to call anyone lazy because I know how lazy I am. Still, FileZilla is a free program and for all that, it’s great. But sometimes you do get what you pay for, and if you want a more secure program, you need to find other options. Frankly, my computer is what I worry about and if FileZilla is not storing my passwords in encrypted files, then I feel it’s my own responsibility to make sure my computer is as secure and safe as it can be. That’s the real issue here, as many other commenters have said before me.

  14. Kevin M says:

    I get a charge out of reading this hogwash! For anyone concerned about security to blame one program for storing your information in a plain file and is the cause of a breach is a load of crap! The operating system stores these files all over the computer.

    So instead of blaming a program for its lack of security. Blame the PC owner for their lack of security on their end! You want to set here an create an article on a free tool and blame them because you cannot keep your own system secure. It is a sign of your total lack of knowledge of how a computer works!

  15. mrveenie says:

    Well i think this is very very stupid.. This design fault in filezilla is quite major… Most of the FTP programs has encrypted password files.

    Some kind of trojan can get trough the best security… You have a save in your home also for the money and stuff dont you???

    Why is this program just giving my password as a stupid plain text file?? its the same as layin down your bankcard including the pin code…

    i think its very stupid!. My security on the laptop is strong enough AVG runs every week, and a couple of malware busters also. and still i got busted by this virus..

    i couldnt find out why my sites got busted all the time so i started looking in the laptop.. and yes i found one small trojan that came with a cookie… the firewalls! (3 in total) didnt recognized it…

  16. Anonymous says:

    What I’d like to know is: If FileZilla stores the usernames and passwords in a folder in AppData, then it still needs ANOTHER application for it to go in and (1.) Find the passwords and (2.) use them to modify the files on my server and then implement malicious malware, like it did.

    And all this happens within the first few weeks that I use filezilla. Wouldn’t it take a little longer for some random application or website to be specifically looking filezilla usernames at that exact file location OTHER than filezilla itself?

    Anyone see what I’m getting at?

    It’s very suspicious that all these testimonials claim this happened within just the first few weeks of using filezilla.

  17. Doogie says:

    Just keep in mind that the problem with your server being hacked may or may not have been related to FileZilla. Servers with many hosting companies are hacked simply due to weak security. Many site owners also use weak passwords that are easily cracked.

    Also, the Trojan virus needs to infect your PC before your passwords will be compromised. In other words, there are issues other than FileZilla that can lead to this problem. I’m not defending FileZilla, but I am trying to put the problem into perspective.

  18. Richard says:

    So Mac users like me need not be concerned by the hacking issue? If Trojans for Macs are rare or non-existent then using Filezilla is OK?

    I’d really like an answer from someone wiser than myself.

  19. Filezilla is a free software. I’ve used it for several years. about ayears ago, my laptop aquired a virus that was really hard to get out. My inex pages kept getting defaced. For while, I would change all my website passwords, and everything would be fine until I ran filezilla. Shortly afterwards my sites would be defaced again. I do nto blame filezilla, however, for my lack of security at the time. If you have websites that handle sensitive data, you should consider purchasing somethign like WSFTP or some other FTP client that has encryption support.

    Furthermore, if you are able to read and write the program c++ most likely – go get the source code and change it to meet your needs. Who knows you might find the secret that Filezilla is keeping from us about being into all these wensite defacements!

  20. Pingback: PHP Site hacked