[wp-testers] Default.widgets.php Hacked? What to do?

André andre at thehook.eu
Fri Jul 24 21:04:12 UTC 2009



Using SFTP or SCP to administer blogs are the safest and will protect you
from people sniffing your LAN/WLAN.

As for storing passwords in
browsers, FTP clients, etc. I would recommend http://www.keepassx.org/
same as KeePass that was mentioned earlier but open source and cross
platform. Let's you store all your password in an encrypted file. So you
got all your passwords ready to copy-and-paste after typing one
password.

Encrypted File System (EFS) will not help against
viruses, as the filesystem is unencrypted while it's running. It's only
good as long as the computer is off, but is very good to have if your
laptop gets stolen.

But everything helps. 

In my
case I always use highly random passwords that I copy-and-paste from
KeePassX.
I use Linux that still isn't as targeted as Windows
(yet).
And I ALWAYS administer the sites using secure channels like
SFTP, SSH, SCP, or HTTPS as long it's possible.



> Better still, I have switched to using SFTP loggins everytime.
Atleast
> it provides more safety than sending passwords in
plain-text.
> 
> On Sat, Jul 25, 2009 at 1:02 AM, Kirk
M<kmb42vt at gmail.com> wrote:
>> I also, as a rule, don't
store passwords locally. The single exception
>> to
>> this is FileZilla (Windows install) as it seems to give me no
choice in
>> the
>> matter. And since it sends FTP
login data to the server in plain text
>> anyway
>>
does it really matter as long as your firewall and anti-malware
>> protection
>> is fully up to date? This is for local
protection only since you can't
>> do a
>> damn
thing once you hit the "Connect" button in FileZilla and your
login
>> data is out there for everyone to see.
>>
>> And for these folks who found their sites had
been hacked, what OS were
>> they
>> running? If
Windows, we're they properly protected (firewall?
>>
Anti-malware
>> program? Which brand?)
>>
>> Just thinking out loud there...
>>
>>
Just on the off-chance that this has affected my Windows machine and
>> possibly any blogs I administer via FTP (all on the same host)
I did a
>> full
>> anti-malware scan on my Windows
partition and thoroughly checked the
>> sites I
>>
administer and everything's clean.
>>
>> One thing I
have to wonder about though. On a Windows (desktop) system
>>
would
>> using Windows "Encrypting File System" (EFS)
to encrypt the FileZilla
>> (settings) folder and it's .xml
files help prevent this type of thing
>> from
>>
happening locally?
>>
>> On 7/24/2009 10:09 AM,
Jennifer Hodgdon wrote:
>>>
>>> Doesn't anyone
besides me think it is a poor security practice to store
>>>
FTP credentials on their PC at all? I realize it is a bit inconvenient
>>> at times to have to remember passwords, but if your FTP
software is
>>> storing credentials in an unencrypted file,
I think it is a HUGE
>>> security risk to let it store your
FTP passwords. This also goes for
>>> your browser storing
login passwords for your sites.
>>>
>>>
--Jennifer
>>>
>>> Chris Jean wrote:
>>>>
>>>> I did a lot of reading on this
subject to ensure that I knew the full
>>>> scope of it.
It's quite clear to me that the stolen FTP credentials
>>>> are
>>>> definitely the cause of this
specific issue:
>>>>
>>>> * Malicious
â&euro;&oelig;Incomeâ&euro; IFrames from .CN Domains
http://bit.ly/NgWFA
>>>> * Hidden CN Iframes Are Still
Prevalent http://bit.ly/12uY53
>>>>
>>>>
That said, you are quite right that getting a virus on your local
>>>> machine isn't the only problem. It is very important
for WordPress
>>>> users
>>>> to be
aware that their site can be compromised by poor security
>>>> practices on or off their server.
>>>
>> _______________________________________________
>>
wp-testers mailing list
>> wp-testers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>
> _______________________________________________
> wp-testers mailing list
>
wp-testers at lists.automattic.com
>
http://lists.automattic.com/mailman/listinfo/wp-testers
>


More information about the wp-testers mailing list