View Full Version : FLASH FXP on malware target list
paul_9
09-28-2009, 05:11 PM
Hey Bigstar!
I own a web hosting company, and I recommend Flash FXP to all of my clients ...
Recently I have had several clients (9 and counting) get all of their sites "hacked" by malware that looks for their FlashFXP password files, and gains access to their websites via FTP ..
http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/
I was wondering if it would be possible to request that the flash FXP password file be encrypted, or something similar, to prevent malware from stealing our passwords?
I have used FlashFXP for several years now, and would like to continue to do so, but we need some kind of password encryption, so we can feel safe using this software.
I for now am using WinSCP, but I do miss the convenience of FlashFXP, and having to enter my passwords manually each time I use it, is far too much inconvenience.
Here is a bit more on this particular malware problem ...
http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/
Thank you for your time!
Paul
MxxCon
09-28-2009, 08:36 PM
FlashFXP had Site Manager file encryption since like version 2.0 back in 2003 if not even earlier
paul_9
09-28-2009, 11:09 PM
FlashFXP had Site Manager file encryption since like version 2.0 back in 2003 if not even earlier
OK .. but that prevents people from using the actual site manager to enter your sites ... if they are sitting at your computer ....
What I am talking about is much more sinister ... I'm talking about malware designed to scan your local computer and look for the password flat files themselves.
And believe me this is very real, as I just had 9 of my hosting clients get hit by this ... and 6 of them that I know for sure use FlashFXP.
If this was not possible to do with FlashFXP, why would it be listed on a report that just came out last week?
:confused:
I do hope Bigstar takes this matter more seriously than you do!
MxxCon
09-29-2009, 01:27 AM
OK .. but that prevents people from using the actual site manager to enter your sites ... if they are sitting at your computer .... WRONG!
This will prevent ANYBODY from accessing your sites without knowing the original encryption password. that password is not stored anywhere in flashfxp. Without that password your sites are inaccessable.
What I am talking about is much more sinister ... I'm talking about malware designed to scan your local computer and look for the password flat files themselves.I'm well aware of what you are talking about and bigstar knew about this well before this parasites blog came to existence and hense why he implemented ENCRYPTION into sites.dat.
And believe me this is very real, as I just had 9 of my hosting clients get hit by this ... and 6 of them that I know for sure use FlashFXP.I'm well aware this is a real problem. Doing tech support for one of the largest hosting company in US, I've seen my share of exploits and hacks and malware and what-have-you
If this was not possible to do with FlashFXP, why would it be listed on a report that just came out last week?Did you COMPLETELY read that article or just looked at the pretty "top 10" list?
in that article it says:
Or invest some time to read your programâs documentation and find out what they can offer to security-minded webmasters. Some clients support public key authorization, some offer encrypted site managers, etc. Did you read what i posted in my last message?
Did you look at FlashFXP and try to figure out what I told you?
I do hope Bigstar takes this matter more seriously than you do!I expect an apology from you for this!
Of all the people that post on this forum, bigstar will confirm that i'm one of the most security minded people here. He'll tell you numerous times when i was bugging him to fix potential exploits in flashfxp or modify a feature to make FlashFXP more secure.
FlashFXP by default scramble your password. It is so that casual browser won't see your passwords stored in plain text. But, once you get somebody's sites.dat file and persistent enough, it's relatively simple to de-scramble those passwords. De-scrambling algorithm have been posted online.
However, AT LEAST SINCE 2003 FLASHFXP HAD AN OPTION TO PROPERLY *ENCRYPT* THE WHOLE SITE MANAGER WITH A MASTER PASSWORD THAT IS NOT STORED ANYWHERE.
Even if malware still steal your ENCRYPTED sites.dat file, it'll be useless to them without knowing the original master password.
Furthermore, if you are afraid of somebody sniffing your network connection but you can't use full encryption like SSL or SSH, FlashFXP always had support for S/KEY logins. it's a one-time-one-way password derived from your site password. Even if somebody will get a hold of your S/KEY password, they won't be able to login to your site 2nd time.
And FlashFXP supports SFTP.
FlashFXP provides all the tools and features necessary to keep your sites secure.
It's up to the user to decide what kind of security measures they want to enable and use.
You can lead a horse to the water, but you can't make it drink.
People on this forum take security very seriously.
Your uneducated reaction is along the lines of running in a movie theater and shouting fire just because they are showing a movie about firefighters.
Get all the facts before you react.
bigstar
09-29-2009, 07:16 AM
MxxCon knows security and FlashFXP very well. He's been a beta tester for us for as long as we've had beta testers.
All popular software can be a target for malware, especially those that store site information.
One of the first things I added to protect our customers was Application Password Protection, by enabling this you are prompted for the password each time you start FlashFXP, this password isn't stored anywhere and your data files are encrypted with strong encryption, if you lose or forget the password there is no way to recover it other than a brute force attack. For some customers it can be somewhat inconvenient to enter the password each time you start FlashFXP but if you want real protection then you need to accept the fact that a password needs to be entered each time you start FlashFXP. Otherwise your security isn't guaranteed.
To enable Application Password Protection
Main Menu > Sites > Security > Set Password
I've thought about changing the scrambling method used in the sites.dat since we've used the same method for years but by changing it only gives a false sense of security. I've also looked into encrypting the data files with a generic key but again, this is just false sense of security and that's why we don't do it.
paul_9
09-29-2009, 10:19 PM
MxxCon: I apologize if I took your reply out of context, but it seemed to me you were just giving my concerns the brush off.
I appreciate what you are saying, but having 9 clients all recently hacked to sh!t - and the common denominator between at least 6 of them (that I know of) is FlashFXP, it seems that this malware is in fact able to circumvent any encryption that may be in the site manager ... I am not a newbie around computers. I have been doing web hosting since 1998.
I do not know how to read Russian, but apparently in that link in the article, on Kaspervy's website, they detail how the malware operates, and does also confirm Flash FXP to be affected. Why would they include FlashFXP if it was not affected for years? The article only was posted last week.
Anyhow I thank you both for your time ... If I offended anybody, I'm sorry but this was not my intention. Until I am 100% certain that FlashFXP is not vulnerable, I will continue to use WinSCP or putty (shell).
My apologies again - I'll go find "a new movie theatre" to run through ...
paul
MxxCon
09-30-2009, 08:19 AM
By default FlashFXP is uses a simple scramble for your passwords.
So if you don't take an extra step to enabling encryption, your passwords are possible to retrieve.
Many people don't take that extra step, either because they don't know, don't care, or don't want to be bothered to enter their password on every start.
Just because WinSCP or Putty are not on THAT list, doesn't mean malware does not target them or passwords stored in them are secure.
furthermore, Putty can not store your passwords at all, you have to manually enter them every time you login. If you don't store the passwords, there is nothing to steal.
In such case you are not treating FlashFXP and Putty on equal grounds.
If you are not going to store passwords in FlashFXP, they are going to be just as secure as they are in Putty.
WinSCP does allow you to store passwords, however they are also scrambled and easily retrievable (http://winscp.net/eng/docs/faq_password).
FlashFXP goes one step further by providing you an actual encryption of your passwords. WinSCP does not. They just tell you not to store them in WinSCP.
If that's the case, don't save your passwords in FlashFXP(just like you do with putty or winscp) and enter them every time you login.
bigstar
09-30-2009, 08:23 AM
Were your clients using Application Password Protection in FlashFXP?
I am assuming they weren't using it.
You could always run FlashFXP from a portable media device such as a U3 smart drive or USB drive.
Oh and I almost forgot you can leave the site password blank and you'll be prompted for the password each time you connect to the server.
paul_9
09-30-2009, 08:34 AM
MxxCon: thanks for the follow-up ... I think this is probably the case where the application is/was not password protected. :(
bigstar: Hmmm .. you might have just given me a schwanky idea for some product branding ... I may have to find a HK supplier for bulk 2GB USB drives that I can brand with my logo, place my logo on the portable suite GUI, and preload it with the FlashFXP 30-day trial, along with other must-have portable softwares, and mail them to anybody who rents/buys a server from me :)
I really do like FlashFXP, and have used it for several years, so I would really like to keep using it, and at the same time know that myself and the clients I recommend it to have an adequate level of security.
Thanx guys!
Paul
bigstar
09-30-2009, 12:25 PM
We offer U3 Smart Drive and USB portable installers for FlashFXP.
You'll find them on our download page https://oss.azurewebsites.net/download
If you have any suggestions on how we can improve security beyond what we offer now please let me know.
vBulletin® v3.8.11 Alpha 3, Copyright ©2000-2025, vBulletin Solutions, Inc.