FTP Hacker

**Spiral** · 07-11-2009 07:48 PM

Originally Posted by ramzex

Crap!

This is not the iframe method!
We had exact same issues our our customers webservers.
We have investigated this issue and found the following:

ramzex:

I saw your original post a couple days ago and briefly contacted you
but I have also been very busy this week helping a lot of users deal with
the current hacking attacks going around, helping people secure their
servers, and have not had much free time available. I would very much
like to take a look at your server and sit down and go over with you all
that you have done to try to clean it out and update the security as
there is likely a great many areas you missed (based on your comments
in each of your posts) that I may be able to help you address.

You are already off to a good start in the things you list in your post
above but I also see a great number of critical areas to address where
you did not mention doing anything to secure your server in those areas.
When you are available, try to contact me and if I have a few free moments,
I'll try to make room to talk to you and help you with your server.

-Spiral

**Arcano** · 07-13-2009 05:04 PM

Hi Everybody.

This is my first post.
First of all please be careful everyone who uses FILEZILLA.

The reason? Very Simple
Look in your machine for a file called "sitemanager.xml".
You can open it with a notepad.
It holds all the information of your accounts.
In plain text.
User.
Password (not encrypted!!).

Once you have a trojan/virus (like Malicious.PDF.Gen, etc), is a piece of cake to it to get that information. It only have to read the xml and send that information to the attacker.

Now i am using another free ftp client. EFTP.
It encrypts everything. I will try it now.

Good Luck (and sorry for my odd english)

**konrath** · 07-13-2009 10:46 PM

[QUOTE=ramzex;541109]Crap!

This is not the iframe method!
We had exact same issues our our customers webservers.
We have investigated this issue and found the following:

Hello

I do not agree with you.

------------------------------
3. Script has modified the passwords of the accounts located in /etc/passwd
------------------------------

The passwords of the customers are not modified.

What I see in this log (sent by sallen812) is exactly what happens to my clients infected with iframe hack.

Thank you
Konrath

LinkBack

Thread Tools

FTP Hacker

Hacker?? Need help

is this a hacker ?

Crazy hacker.......

Is this a hacker??