A few months ago I tried to log into my blog and there was an error message on the screen saying that there was an error in my blog files so I was unable to log on.
I opened my cpanel and found that a list of ‘iframe’ commands had been added to the end of my index file overwriting part of what should be there, I cleared those and tried to log in again, I then found similar commands in default-filters and default-widgets.
I cleaned these and logged in successfully, I then did what I was planning to do in the first place.
I then tried to log into another blog on the same site, exactly the same problems occured. I cleaned those and carried on.
The following day I tried to log in again, the problem was back again. I contacted my host support, they said mine was the only site affected on that server.
They suggested clearing the site, changing the passwords, scanning all files and rebuilding it, making sure I used all the latest updates for plugins etc.
I did this and all was fine for a few weeks, then the problem happened again, hitting all my different sites hosted on the server, I cleaned them all several times, but it kept coming back.
I changed all the passwords again, but that made no difference, after a few hours it was back.
I was certain it had to be something infecting through the hosting account as it was hitting all the sites at once, even though the blogs all had different admin passwords.
I was not saving my passwords when I logged into these sites and it was only affecting my hosting account, then I thought the only place set to log in automatically was my ftp client, this was Filezilla, one of the most popular ftp clients on the market, because it is freeware and easy to use.
Following investigations I found that Filezilla creates an xml file on the system that is written in plain language, including the password.
I then created a dummy record, “dennis.com” with the username “dennis” and the password “brooks”, here is the resulting site manager window
site manager
This is a section of the xml file created on my computer relating to the dummy account I had just created.
xml file
If you read through the text in the xml file you can clearly see the host name, user name and password. If you inadvertantly download a scanning robot onto your computer they can then see your Cpanel password on your hosting account and infect your site.
You are probably thinking that you will start using the quick connect where you put in the details on the front screen of Filezilla, that wont help you, the information you put in there is stored in another xml file on your computer.
The only way I have found to do it with Filezilla is in the site manager, change the “Logon Type” from ‘Normal’ to ‘Ask for password’ by using the drop down arrow on the side, then the logon type in the xml file changes from1 to 2 and the password is not shown.
OK so you have to put the password in every time you want to use the program, but surely that is better than having your site hacked and possibly months of work ruined
Since doing that I have not been hacked again.
You may think that I am not security minded to allow something to invade my computer to do that, but I have an active personal firewall and up to date anti-virus on my computer, and it still got in.
In some respects I was lucky, if they had not just wanted to add these commands to every index file on my host, but had taken it one stage further they could easily have gone into my Cpanel account, changed all of my administrator credentilas and used my site for all sorts of destructive purposes, and I would not have been able to do anything about it, other than getting my host to totally wipe my site and have to start all over again.
I have not checked any other ftp clients to see if they use similar methods, so beware, they may cause similar issues.
BE WARNED, YOUR FTP CLIENT COULD BE A SECURITY RISK ON YOUR COMPUTER.
November 14th, 2009 at 10:09 am
Linux Web Hosting For Small Businesses.
http://twurl.nl/1ri4oo
November 19th, 2009 at 2:59 pm
Oh dear! I thought changing the passwords would do it… thanks for pointing out that this isn’t sufficient with FileZilla. Typing a password every time is very little effort, compared with all the trouble one has with a hacked site.
Thanks again!
Jaap Verduijn.
March 2nd, 2010 at 9:34 am
Lots of Great information in your posting, I bookmarked your site so I can visit again in the near future, Cheers, Taryn Degiulio
March 8th, 2010 at 12:31 pm
Affiliate marketing is a extraordinary way to generate money and be your own boss, putting your skills and creative knowledge to work for you and not others, even so affiliate marketing does need work and time. You must develop like any other business.|By far the biggest reason why people do not succeed in the online business is that they never develop a business mentality. In order to be successful one has to be able to commit to a plan, products and strategy until one is successful. What occurs in reality is that people bail out at the first sign of an obstacle.
April 23rd, 2011 at 6:41 am
You topic of this blog is really good. Thanks.
September 5th, 2011 at 11:10 am
Similar thing happened to me. An infected computer sent out Filezilla’s plain text password file to a server where it was used to log in and infect all HTML and PHP files on my site.
Note that even if you use sftp, if you have the password in Filezilla it will be available unencrypted!
The solution is to have your ssh key loaded into a key manager such as pageant, set no password in Filezilla and use sftp. Then you can automatically log in securely.