Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: bakedjake
I created a new virtual host on my server and started a new website nine days ago. Since then I have changed the ftp password three times because I needed to give ftp access to a software vendor. After the software folks did their thing I changed the pw.
Yesterday, I got hacked on my NEW website (five day old password) and whoever put an iframe at the top of several files to a website that executes a Trojan of some sort.
So, I searched the website log files high and low and could not find a www event that coincided with the affected file change time – nothing. Remember, this is a new site so there is not much traffic.
Finally, I looked in the /var/log/ftp log files and there it was – they had first logged in on the old site – logged out and then logged in to the new virtual website, changed directories and uploaded files.
A hacker has my ftp logins and passwords! Now, these passwords are totally wild as I use a combination of letters, numbers, lower and upper case. The chances that somebody cracked both passwords are less than me winning the lotto five times in a row… I’m the only person in the world that knows these passwords – period (so I thought).
Yes, I have changed everything, done virus scans and even called the host.
So, I’m looking for theories – here’s mine:
Keystroke logger of some flavor on my pc’s
Hosting company hacked my password files? These are encrypted..
The hacker has since tried to login three times - I’m totally paranoid.
You should really consider removing FTP access and switching to the secure SSH protocol - FTP passwords are sent over the wire in plain text, so the protocol is inherently insecure and is only really used for legacy purposes.
Yes, I did have Filezilla on my pc and used the software frequently to down and upload files. Your right in that Filezilla stores passwords, logins, ftp host in easy to steal text.
Your theory is the most probable scenario for me as this is the only common link for both accounts. Also, my other accounts accessed on these pc's (paypal, bank, bank#2, etc) have not been compromised.
Do you know the name of the virus by any chance?
Not only does it specifically seek out FTP credentials from FileZilla and Dreamweaver, it also sniffs traffic via the network card.
The worm usually uses vulnerabilities in Adobe Reader to gain access to your machine (simply viewing a specialy-crafted PDF file with a vulnerable version is sufficient), so make sure that program (if you have it installed) is up to date - at the time of writing, the current version of Acrobat Reader is 9.2.0.
so make sure that program (if you have it installed) is up to date - at the time of writing, the current version of Acrobat Reader is 9.2.0.
Even better, use a different PDF reader. Of course, if you used Linux on the desktop you would get a different PDF reader installed by default, and probably a file manager that can do sftp (and lots of sftp tools installable in a couple of clicks).
I use rsync over ssh for copying files, and a text editor that can open files over ssh for stuff that I need to edit directly on the server. You can definitely do the former on Windows, I would be surprised if you cannot do the latter.
I never accessed my websites via Dreamweaver. Filezilla is sure convenient and an easy to use ftp client. I currently have FTP disabled on all accounts.