[wp-testers] Default.widgets.php Hacked? What to do?

Navjot Singh navjotjsingh at gmail.com
Fri Jul 24 21:07:37 UTC 2009 

I am using Roboform instead of KeePass.

On Sat, Jul 25, 2009 at 2:34 AM, André<andre at thehook.eu> wrote:
>
>
> Using SFTP or SCP to administer blogs are the safest and will protect you
> from people sniffing your LAN/WLAN.
>
> As for storing passwords in
> browsers, FTP clients, etc. I would recommend http://www.keepassx.org/
> same as KeePass that was mentioned earlier but open source and cross
> platform. Let's you store all your password in an encrypted file. So you
> got all your passwords ready to copy-and-paste after typing one
> password.
>
> Encrypted File System (EFS) will not help against
> viruses, as the filesystem is unencrypted while it's running. It's only
> good as long as the computer is off, but is very good to have if your
> laptop gets stolen.
>
> But everything helps.
>
> In my
> case I always use highly random passwords that I copy-and-paste from
> KeePassX.
> I use Linux that still isn't as targeted as Windows
> (yet).
> And I ALWAYS administer the sites using secure channels like
> SFTP, SSH, SCP, or HTTPS as long it's possible.
>
>
>
>> Better still, I have switched to using SFTP loggins everytime.
> Atleast
>> it provides more safety than sending passwords in
> plain-text.
>>
>> On Sat, Jul 25, 2009 at 1:02 AM, Kirk
> M<kmb42vt at gmail.com> wrote:
>>> I also, as a rule, don't
> store passwords locally. The single exception
>>> to
>>> this is FileZilla (Windows install) as it seems to give me no
> choice in
>>> the
>>> matter. And since it sends FTP
> login data to the server in plain text
>>> anyway
>>>
> does it really matter as long as your firewall and anti-malware
>>> protection
>>> is fully up to date? This is for local
> protection only since you can't
>>> do a
>>> damn
> thing once you hit the "Connect" button in FileZilla and your
> login
>>> data is out there for everyone to see.
>>>
>>> And for these folks who found their sites had
> been hacked, what OS were
>>> they
>>> running? If
> Windows, we're they properly protected (firewall?
>>>
> Anti-malware
>>> program? Which brand?)
>>>
>>> Just thinking out loud there...
>>>
>>>
> Just on the off-chance that this has affected my Windows machine and
>>> possibly any blogs I administer via FTP (all on the same host)
> I did a
>>> full
>>> anti-malware scan on my Windows
> partition and thoroughly checked the
>>> sites I
>>>
> administer and everything's clean.
>>>
>>> One thing I
> have to wonder about though. On a Windows (desktop) system
>>>
> would
>>> using Windows "Encrypting File System" (EFS)
> to encrypt the FileZilla
>>> (settings) folder and it's .xml
> files help prevent this type of thing
>>> from
>>>
> happening locally?
>>>
>>> On 7/24/2009 10:09 AM,
> Jennifer Hodgdon wrote:
>>>>
>>>> Doesn't anyone
> besides me think it is a poor security practice to store
>>>>
> FTP credentials on their PC at all? I realize it is a bit inconvenient
>>>> at times to have to remember passwords, but if your FTP
> software is
>>>> storing credentials in an unencrypted file,
> I think it is a HUGE
>>>> security risk to let it store your
> FTP passwords. This also goes for
>>>> your browser storing
> login passwords for your sites.
>>>>
>>>>
> --Jennifer
>>>>
>>>> Chris Jean wrote:
>>>>>
>>>>> I did a lot of reading on this
> subject to ensure that I knew the full
>>>>> scope of it.
> It's quite clear to me that the stolen FTP credentials
>>>>> are
>>>>> definitely the cause of this
> specific issue:
>>>>>
>>>>> * Malicious
> â&euro;&oelig;Incomeâ&euro;  IFrames from .CN Domains
> http://bit.ly/NgWFA
>>>>> * Hidden CN Iframes Are Still
> Prevalent http://bit.ly/12uY53
>>>>>
>>>>>
> That said, you are quite right that getting a virus on your local
>>>>> machine isn't the only problem. It is very important
> for WordPress
>>>>> users
>>>>> to be
> aware that their site can be compromised by poor security
>>>>> practices on or off their server.
>>>>
>>> _______________________________________________
>>>
> wp-testers mailing list
>>> wp-testers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-testers
>>>
>> _______________________________________________
>> wp-testers mailing list
>>
> wp-testers at lists.automattic.com
>>
> http://lists.automattic.com/mailman/listinfo/wp-testers
>>
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>

More information about the wp-testers mailing list