This year, most successful malware attacks against legitimate websites used stolen FTP credentials. I always suggest that you don’t store passwords in your FTP programs where they are easily accessible by any program running on your computer (including malware). For example, in FileZilla, FTP passwords are stored as plain text in configuration files. And FileZilla is not the only FTP client malware authors target in their hunt for website credentials.
In the recent post about Quicksilver malware network, you can read that the trojan behind the infamous iframe injection attack “looks for all kinds of configuration files of ftp programs in their default install paths“. I contacted the researcher and asked if he had a full list of the FTP clients this malware looks for.
Keep using it. Just don’t save your passwords there. Enter passwords every time you connect to remote servers. Or invest some time to read your program’s documentation and find out what they can offer to security-minded webmasters. Some clients support public key authorization, some offer encrypted site managers, etc.
Just to be on the safe side, scan your computer for malware. Then scan your site for signs of break-ins (you might want to start with Unmask Parasites checks). If you have any suspicion, change all passwords ASAP.
And don’t think if you are using some other FTP client you can safely store your passwords in it. There may be another trojan that specifically targets your favorite program.
BTW, in my previous post you could see a link to an article about another trojan that sniffs FTP traffic and steals credentials. If you use FTP, you can’t hide your passwords from this trojan – FTP protocol doesn’t support any encryption.
The answer to this problem is secure protocols: like SFTP or FTPS. Most FTP clients support these protocols, so you don’t need to find a new program. However, if you are on a shared server, make sure that your hosting plan includes any of these secure protocols.