We have recently seen a number of issues posted in forums that are related to hacked web sites where it appears that a Trojan virus infecting a site owner’s PC may be sending FTP information to hackers. The common thread appears to be FileZilla. If you are using the FileZilla FTP utility, this is potentially a very serious threat to your web sites.
We have seen complaints posted from various shopping cart owners, blog owners and a wide range of web sites. It looks like hackers are gaining access to web sites using the web site’s actual FTP username and password. The common thread appears to be FileZilla. FileZilla stores FTP information in plain text in a XML file called filezilla.xml. Newer versions are supposed to ask during installation whether you want to store settings in an XML file or the Windows registry. The last new installation that I performed never asked. It simply stored the settings in a plain text file called sitemanager.xml, which is found in C:\Documents and Settings\Administrator\Application Data\FileZilla\. This is not the same as the registry, but it is a common place to store user settings. I am using the current version 184.108.40.206 and all of my passwords were stored in plain text in this file.
It appears that the root cause of the problem is one of several Trojan viruses that infect a site owner’s PC. These viruses look for files containing passwords, which they then send to servers run by hackers. When a hacker has your site’s FTP information, they have full access to your web site and can modify any scripts that they desire. Hackers frequently plant more viruses on your server, which infect user PCs.
It is possible that you have an older version of FileZilla that may use the filezilla.xml file. Do a search on your PC and look for this file. It is also possible that this file has been retained during upgrades to newer versions of FileZilla. If you have a newer installation, search for the file called sitemanager.xml. If you click on the file using Windows, it will open in your browser or you can view the file using Notepad.
How to Fix the Problem
The long term fix would be for FileZilla to encrypt all FTP passwords in the XML files using a strong encryption method. It was pretty foolish to NOT encrypt this information.
The quick fix is to delete all of the passwords stored with FileZilla. I know this can be a nuisance, but your web site’s security is at stake.
If you suspect that your PC may have been compromised due to a recent infection with a virus, make sure that the viruses has been eradicated and then change the web site FTP password in your server’s control panel.
Make sure that your PC is free from Trojans and viruses before you enter any passwords for access to any web site. Some viruses install keystroke loggers, which record your keystrokes and send them off to a hacker’s server, typically located in Russia or Romania. With a keystroke logger, nothing you enter using your keyboard is secure. These hackers are usually looking to gain access to victim’s bank accounts or PayPal accounts, but direct FTP access to web sites is the next best thing.
We will continue to research this issue and will post updates as we find more information. If you have additional information to share regarding this issue, please post it here.
More information about this exploit can be found in the FileZilla forums in a thread called Password file has been hacked and used by a virus.