Our friendly webhost, tigertech has informed about a virus that steals saved FTP passwords, such as the Gumblar or Trojan.PWS.Tupai.A virus and sends FTP usernames and passwords to a server controlled by “hackers” automatically.
If you’ve stored your FTP account password in your FTP program, the virus can steal the password and send it to “hackers” who then use
it to modify your Web site.
How these viruses work
* If your computer is infected with virus when you visit an infected Web page.
* The virus examines your computer to see if you use any common FTP programs which has stored with username and password.
* It sends the usernames and passwords to a server controlled by “hackers” automatically. This way Hacker gets your FTP password easily and get access to your website files so easily.
* The hackers make an automated FTP connection to your webserver and download any HTML or PHP files they find.
* Hackers modify the files by adding virus code (an “iframe” tag) that spreads the virus by uploading changed files back.
* Your site starts spreading the virus to new victims.
* Within a few days, your site will be marked as “This site may harm your computer” on Google, causing the number of visitors to drop dramatically.
The following programs are vulnerable to the virus:
SecureFx
IpSwitch
FTPWare
Rhine Software
FileZilla
Total Commander
BulletProof Ftp
GlobalScape Ftp
CoffeCup Fp
Ftp Commander Pro
Smart Ftp
Leap Ftp
Far
It’s a good idea to not to store your ftp passwords. The Best way to protect is to scan your computer for “malware” every so often. Here the product that can detect these kinds of viruses is Malwarebytes.
If I may add to this informative post.
The virus works in many ways. It doesn’t just steal the saved or stored passwords on your PC. It can also sniff the FTP traffic or install a keylogger.
Since FTP transmits all data in plain text, it’s quite easy to sniff. Here’s a video we did on sniffing FTP traffic. It will show you how easy it is. http://www.youtube.com/watch?v=oYI1kssrrbc
If the virus includes a keylogger, which was added to later viruses as the hackers learned that everyone was recommending that they don’t store FTP passwords in their software, when you type in your password, it gets stolen and sent to the hacker’s server where it stores it.
Once your FTP username and password have been stolen, the hacker’s use an automated program to attack. It logs into your site, with your FTP username and password, then looks for certain files. Some groups of hackers only look for index files; index.html, index.htm, index.php, index.cfm, etc. Other groups of hackers have their programs set to infect all .html files, or all .php files or even sometimes all .js files.
That’s why it’s important to really protect your PC. The virus first detects what anti-virus software you have installed and it knows how to evaded detection. Sometimes it turns off the anti-virus software other times it just prevents new updates.
We’ve had good luck with AVG, Avast and Avira. The best protection is to not use a user account on your PC with administrator rights. The virus can only obtain the same rights as the currently logged in user. If you can install software with your user account – then so can the virus. If you can shut-off your anti-virus software – then so can the virus.
Take the time to setup a non-administrator account on your PC. Use that for everyday work. When you need to install something – logout, login as the administrator install the software, then logout and login as the non-administrator user.
We’ve been doing this for 2-1/2 years on a couple of Windows XP Professional PCs and we don’t even have an anti-virus program installed on these 2. This of course, is never recommended. We did it to test our theory. We keep the Windows XP PCs updated with all the latest patches and updates – but no anti-virus software. And neither of them have been hacked in over 2-1/2 years.
We hope you found this information worth more than what you paid for it.