Recently, a fake version of the popular Filezilla File Transfer Protocol (FTP) client has been made available for download on some sites. This fake version of Filezilla looks and works as expected but it also harvests login credentials in the background. These credentials are secretly sent to a hacker owned site. This is clearly a concern for any network and action must be taken to limit the damage. There are two things you should do:
1. Block the stealing of credentials
The domain name that the hacker used to send credentials to is aliserv2013.ru. This domain name currently does not resolve, as the nameservers appear not to respond to DNS queries anymore (interestingly enough they still respond to ping). Additionally, the FTP server also appears to be down. So the worst crisis might be over. But to be safe you should blacklist aliserv2013.ru in your DNS server. If you are using Secure64 you need to add a line like the one below and reload your cache server:
local-zone: “aliserv2013.ru” refuse log
2. Find and clean up your clients
If your DNS server is capable of logging blacklist hits, then now is the time to check your logs and see if any of your clients are using this fake Filezilla client.
By using the log option in the Secure64 example configuration above you can see which clients are trying to access the aliserv2013.ru site. You can then reach out to them and make sure they remove the faulty FTP client.
More info can be found here: