Don’t use Filezilla for ftp

A small number of our Internet Consultancy clients access their own websites using an ftp program (ftp = File Transfer Protocol). This is a seemingly simply program that allows you to copy files backwards and forwards to your website from your PC or Mac. For smaller businesses there is a great attraction to use a free product, such as Filezilla or CuteFTP (at WebSanity we use an excellent commercial program called SmartFTP – which we would recommend in preference every time).

Part of the way these programs work is to store a user name and password to access your web site(s). Of course you would NEVER store unencrypted passwords on your computer but unfortunately we found out recently that Filezilla does exactly that (other more professional ftp programs encryt such data).

This vulnerability is seemingly well known by virus writers and we have just encountered a case of a client who unfortunately had ‘caught’ some malware (a virus designed to harvest information from a machine, not to destroy it) – in theory not possible because they claimed to be running anti-virus software! This malware knew that Filezilla didn’t encrypt its passwords and so harvested them and then used them to inject hidden malware code into all their websites.

The client had to delete Filezilla, change all their ftp passwords and reformat the machine to remove the malware – removing these isn’t just a case of deleting a single file! We have then had to write a custom script on their behalf, installed onto each of their websites, to scan every website for any instances of the “iframe code injection” that the malware had created: otherwise it would have meant checking hundreds, if not thouands, of files by hand.

Lessons to be learnt:

  • Make sure you have up to date anti-virus software;
  • Run a full virus scan once a week;
  • Get some malware checking software if your virus software doesn’t check for this;
  • Keep a backup of ALL your files;
  • Use a quality firewall and READ the alerts it gives you;
  • Don’t use Filezilla – it is insecure!
This entry was posted in Web Hints & Tips and tagged , . Bookmark the permalink.

One Response to Don’t use Filezilla for ftp

  1. chris says:

    Yikes! Sorry to hear about your FileZilla probs. Never had that problem with FileZilla myself — in fact never knew there was an issue with FileZilla — so thanks for sharing this important piece of information.

About Gerald Thulbourn

Gerald Thulbourn setup WebSanity in 2004. He has a 1st class honours MEng in Microelectronics & Software Engineering (i.e. he's a techy), 5 A grades at A level (i.e. he works hard) and loves to communicate (i.e. odd for a techy). He hates tech speak, sloppy/badly tested code, and technology for the sake of technology's sake. He loves helping people understand marketing concepts and seeing how their application makes a real difference to their business. In particular he loves training; SEO, Website Analysis, WordPress etc. Read more about us on Google+