Filezilla Bug

Posted onby admin
  1. Filezilla Bug Virus
  2. Filezilla Bug Connexion
  3. Filezilla Bundled Offers

While testing with the new release of Hydra against my own FTP server from FileZilla, I recognized that the autoban feature from FileZilla does not work for IPv6 connections. If there are multiple failed login attempts from an IPv4 address, FileZilla Server correctly blocks that IP. That is: Hydra stops testing passwords since it is not able to connect to the server anymore. However, when using IPv6, the FileZilla server generates the same error message (“421 Temporarily banned for too many failed login attempts”), but new connections from the same IPv6 address are still possible.

Here are my test results:

Bug

So the normal user is meant to know to hold down some keys when this happens in FileZilla? I'm pretty sure it is a bug that should be fixed in the app, a pretty simple fix too with a simple check for the window being created out of bounds. In reply to: 4 comment:5 by Janene McMahan, 7 years ago. If you are using FileZilla, do not click on the pop-up or allow the pop-up to automatically install the 'updates' for your FileZilla application. When downloading applications and software, you should always save them to a file on your computer and run your anti-virus application against them to ensure they are free of any malware.

Bug

I am using FileZilla Server version 0.9.43 beta on my old Windows XP notebook. (I know, this is not the most current version. But version 0.9.44 does not run on Windows XP anymore.) Hydra is running with the just released version 8.0.

Note that this post is one of many related to IPv6. Click here for a structured list.

FileZilla Server Autoban

The autoban feature in FileZilla server is quite simple and looks like that:

Brute-Force via IPv4

I first tried a brute-force attack via IPv4 against the FTP server.

These are a few lines of the FileZilla server logfile. It shows the incorrect logins and the error “421 Temporarily banned for too many failed login attempts”. The sessions are then disconnected:

2
4
6
8
10
12
14
(000006)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 331 Password required for weberjoh
(000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> PASS ***
(000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 530 Login or password incorrect!
(000006)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> PASS ***
(000006)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 530 Login or password incorrect!
(000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> USER weberjoh
(000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 331 Password required for weberjoh
(000003)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> USER weberjoh
(000003)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 331 Password required for weberjoh
(000004)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> USER weberjoh
(000004)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 331 Password required for weberjoh
(000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> PASS ***
(000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> 421 Temporarily banned for too many failed login attempts
(000005)14.05.2014 10:21:10 - (not logged in) (192.168.114.10)> disconnected.
Buffer

And here are the last lines from the Hydra logs which show that no connections are possible anymore:

2
4
6
8
10
12
14
16
18
[RE-ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaQ' - 30 of 931147511 [child 14]
[ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP
[RE-ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaR' - 30 of 931147511 [child 14]
[ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP
[ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP
[ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP
[ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP
[ERROR] Not an FTP protocol or service shutdown: 550 No connections allowed from your IP
[ERROR] Too many connect errors to target, disabling ftp://ftp-foobar.webernetz.net:21
[ERROR] 1 target was disabled because of too many errors

Brute-Force via IPv6

The same brute-force attack with IPv6 forced. However, here is the FileZilla server log which generated the same messages but still allows new connections from the same IPv6 address (!):

2
4
6
8
10
12
14
16
18
20
22
24
26
28
30
32
34
36
38
40
(000037)14.05.2014 10:24:51 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message...
(000037)14.05.2014 10:24:51 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net
(000020)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> PASS ***
(000020)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts
(000020)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> disconnected.
(000021)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> PASS ***
(000021)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts
(000021)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> disconnected.
(000038)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message...
(000038)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net
(000042)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message...
(000042)14.05.2014 10:24:52 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net
(000028)14.05.2014 10:24:54 - (not logged in) (2003:51:6012:114::10)> USER weberjoh
(000028)14.05.2014 10:24:54 - (not logged in) (2003:51:6012:114::10)> 331 Password required for weberjoh
(000031)14.05.2014 10:24:54 - (not logged in) (2003:51:6012:114::10)> USER weberjoh
(000031)14.05.2014 10:24:54 - (not logged in) (2003:51:6012:114::10)> 331 Password required for weberjoh
(000034)14.05.2014 10:24:57 - (not logged in) (2003:51:6012:114::10)> USER weberjoh
(000034)14.05.2014 10:24:57 - (not logged in) (2003:51:6012:114::10)> 331 Password required for weberjoh
(000028)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> PASS ***
(000028)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts
(000028)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> disconnected.
(000043)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> USER weberjoh
(000043)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> 331 Password required for weberjoh
(000044)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message...
(000044)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net
(000029)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> PASS ***
(000029)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts
(000029)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> disconnected.
(000047)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message...
(000047)14.05.2014 10:25:00 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net
(000032)14.05.2014 10:25:01 - (not logged in) (2003:51:6012:114::10)> PASS ***
(000032)14.05.2014 10:25:01 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts
(000032)14.05.2014 10:25:01 - (not logged in) (2003:51:6012:114::10)> disconnected.
(000048)14.05.2014 10:25:01 - (not logged in) (2003:51:6012:114::10)> Connected, sending welcome message...
(000048)14.05.2014 10:25:01 - (not logged in) (2003:51:6012:114::10)> 220 jw-nb04.webernetz.net
(000036)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> PASS ***
(000036)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts
(000036)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> disconnected.
(000037)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> PASS ***
(000037)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> 421 Temporarily banned for too many failed login attempts
(000037)14.05.2014 10:25:03 - (not logged in) (2003:51:6012:114::10)> disconnected.

That is, Hydra logs some errors, too, but continues testing more passwords:

Filezilla Bug Virus

2
4
6
8
10
12
14
16
18
20
[ERROR] Child with pid 23786 terminating, can not connect
[ERROR] Child with pid 23784 terminating, can not connect
[ERROR] Child with pid 23780 terminating, can not connect
[ERROR] Child with pid 23779 terminating, can not connect
Process 23785: Can not connect [unreachable]
[ERROR] Child with pid 23783 terminating, can not connect
[ERROR] Child with pid 23785 terminating, can not connect
[ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaK' - 31 of 931147496 [child 0]
[ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaL' - 32 of 931147496 [child 1]
[ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaM' - 33 of 931147496 [child 2]
[ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaN' - 34 of 931147496 [child 3]
[ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaO' - 35 of 931147496 [child 4]
[ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaP' - 36 of 931147496 [child 6]
[ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaQ' - 37 of 931147496 [child 13]
[ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaR' - 38 of 931147496 [child 7]
[ATTEMPT] target ftp-foobar.webernetz.net - login 'weberjoh' - pass 'aaS' - 39 of 931147496 [child 11]

Bug Report

I also added a bug report on the official website of FileZilla (Ticket #9522). Let’s see whether something happens there or whether I made a mistake…

Filezilla Bug Connexion

Format specifiers[edit]

Excerpt from the strftime man page (please note that not all format specifiers work on all platforms; meaning some do not work on for example Windows):

Ordinary characters placed in the format string are copied to the output without conversion. Conversion specifications are introduced by a '%' character, and terminated by a conversion specifier character, and are replaced in s as follows:

Format
specifier
Description
%aThe abbreviated weekday name according to the current locale.
%AThe full weekday name according to the current locale.
%bThe abbreviated month name according to the current locale.
%BThe full month name according to the current locale.
%cThe preferred date and time representation for the current locale.
%CThe century number (year/100) as a 2-digit integer. (SU)
%dThe day of the month as a decimal number (range 01 to 31).
%DEquivalent to %m/%d/%y. (Yecch --- for Americans only. Americans should note that in other countries %d/%m/%y is rather common. This means that in international context this format is ambiguous and should not be used.) (SU)
%eLike %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (SU)
%EModifier: use alternative format, see below. (SU)
%FEquivalent to %Y-%m-%d (the ISO 8601 date format). (C99)
%GThe ISO 8601 year with century as a decimal number. The 4-digit year corresponding to the ISO week number (see %V). This has the same format and value as %y, except that if the ISO week number belongs to the previous or next year, that year is used instead. (TZ)
%gLike %G, but without century, i.e., with a 2-digit year (00-99). (TZ)
%hEquivalent to %b. (SU)
%HThe hour as a decimal number using a 24-hour clock (range 00 to 23).
%IThe hour as a decimal number using a 12-hour clock (range 01 to 12).
%jThe day of the year as a decimal number (range 001 to 366).
%kThe hour (24-hour clock) as a decimal number (range 0 to 23); single digits are preceded by a blank. (See also %H.) (TZ)
%lThe hour (12-hour clock) as a decimal number (range 1 to 12); single digits are preceded by a blank. (See also %I.) (TZ)
%mThe month as a decimal number (range 01 to 12).
%MThe minute as a decimal number (range 00 to 59).
%nA newline character. (SU)
%OModifier: use alternative format, see below. (SU)
%pEither 'AM' or 'PM' according to the given time value, or the corresponding strings for the current locale. Noon is treated as 'pm' and midnight as 'am'.
%PLike %p but in lowercase: 'am' or 'pm' or a corresponding string for the current locale. (GNU)
%rThe time in a.m. or p.m. notation. In the POSIX locale this is equivalent to '%I:%M:%S %p'. (SU)
%RThe time in 24-hour notation (%H:%M). (SU) For a version including the seconds, see %T below.
%sThe number of seconds since the Epoch, i.e., since 1970-01-01 00:00:00 UTC. (TZ)
%SThe second as a decimal number (range 00 to 60). (The range is up to 60 to allow for occasional leap seconds.)
%tA tab character. (SU)
%TThe time in 24-hour notation (%H:%M:%S). (SU)
%uThe day of the week as a decimal, range 1 to 7, Monday being 1. See also %w. (SU)
%UThe week number of the current year as a decimal number, range 00 to 53, starting with the first Sunday as the first day of week 01. See also %V and %W.
%VThe ISO 8601:1988 week number of the current year as a decimal number, range 01 to 53, where week 1 is the first week that has at least 4 days in the current year, and with Monday as the first day of the week. See also %U and %W. (SU)
%wThe day of the week as a decimal, range 0 to 6, Sunday being 0. See also %u.
%WThe week number of the current year as a decimal number, range 00 to 53, starting with the first Monday as the first day of week 01.
%xThe preferred date representation for the current locale without the time.
%XThe preferred time representation for the current locale without the date.
%yThe year as a decimal number without a century (range 00 to 99).
%YThe year as a decimal number including the century.
%zThe time-zone as hour offset from UTC. Required to emit RFC 822-conformant dates (using '%a, %d %b %Y %H:%M:%S %z'). (GNU)
%ZThe time zone or name or abbreviation.
%%A literal '%' character.

Filezilla Bundled Offers

Retrieved from 'https://wiki.filezilla-project.org/wiki/index.php?title=Date_and_Time_formatting&oldid=47893'