Warning! your ftp client could harm your website!

A few months ago I tried to log into my blog and there was an error message on the screen saying that there was an error in my blog files so I was unable to log on.

I opened my cpanel and found that a list of ‘iframe’ commands had been added to the end of my index file overwriting part of what should be there, I cleared those and tried to log in again, I then found similar commands in default-filters and default-widgets.
I cleaned these and logged in successfully, I then did what I was planning to do in the first place.

I then tried to log into another blog on the same site, exactly the same problems occured. I cleaned those and carried on.

The following day I tried to log in again, the problem was back again. I contacted my host support, they said mine was the only site affected on that server.
They suggested clearing the site, changing the passwords, scanning all files and rebuilding it, making sure I used all the latest updates for plugins etc.

I did this and all was fine for a few weeks, then the problem happened again, hitting all my different sites hosted on the server, I cleaned them all several times, but it kept coming back.
I changed all the passwords again, but that made no difference, after a few hours it was back.

I was certain it had to be something infecting through the hosting account as it was hitting all the sites at once, even though the blogs all had different admin passwords.

I was not saving my passwords when I logged into these sites and it was only affecting my hosting account, then I thought the only place set to log in automatically was my ftp client, this was Filezilla, one of the most popular ftp clients on the market, because it is freeware and easy to use.

Following investigations I found that Filezilla creates an xml file on the system that is written in plain language, including the password.

I then created a dummy record, “dennis.com” with the username “dennis” and the password “brooks”, here is the resulting site manager window

site manager

This is a section of the xml file created on my computer relating to the dummy account I had just created.

xml file

If you read through the text in the xml file you can clearly see the host name, user name and password. If you inadvertantly download a scanning robot onto your computer they can then see your Cpanel password on your hosting account and infect your site.

You are probably thinking that you will start using the quick connect where you put in the details on the front screen of Filezilla, that wont help you, the information you put in there is stored in another xml file on your computer.

The only way I have found to do it with Filezilla is in the site manager, change the “Logon Type” from ‘Normal’ to ‘Ask for password’ by using the drop down arrow on the side, then the logon type in the xml file changes from1 to 2 and the password is not shown.
OK so you have to put the password in every time you want to use the program, but surely that is better than having your site hacked and possibly months of work ruined

Since doing that I have not been hacked again.
You may think that I am not security minded to allow something to invade my computer to do that, but I have an active personal firewall and up to date anti-virus on my computer, and it still got in.

In some respects I was lucky, if they had not just wanted to add these commands to every index file on my host, but had taken it one stage further they could easily have gone into my Cpanel account, changed all of my administrator credentilas and used my site for all sorts of destructive purposes, and I would not have been able to do anything about it, other than getting my host to totally wipe my site and have to start all over again.

I have not checked any other ftp clients to see if they use similar methods, so beware, they may cause similar issues.

BE WARNED, YOUR FTP CLIENT COULD BE A SECURITY RISK ON YOUR COMPUTER.