Adblock Plus and (a little) more

Filterset.G webpage hacked · 2008-12-15 10:02 by Wladimir Palant

Did I already mention that running a web server is dangerous? Well, it was only one part of the picture. Each server gets lots of automated requests trying to find vulnerabilities in the scripts that are installed (SQL injection vulnerabilities got particularly popular lately). But servers also get lots of requests on SSH and FTP ports trying to guess user names and passwords. So you better don’t use passwords that can be easily guessed using a dictionary attack. Even better, don’t use any passwords at all.

A recent victim of this attack is Filterset.G webpage (, apparently it uses a weak password for one of the FTP accounts. Two days ago, somebody used that account to upload a defacement web page and a PHP script that should give the attacker full control over the site. The only reason we don’t see that server sending spam or scanning for vulnerabilities in other servers — that FTP account wasn’t allowed to run PHP scripts, lucky us. If somebody can reach Graham Pierce somehow, please do (Filterset.G forum is abandoned and full of spam).

How do I know all this? Easy, the access statistics for are accessible to anybody who knows the address. That’s one more thing you better don’t do if you are running a web server.


Comment [6]

  1. hmm · 2008-12-15 12:03 · #

    You might want to not link to defaced webpage, in case the attacker updates it with a browser exploit…

    Reply from Wladimir Palant:

    You are right – it is harmless now but doesn’t have to stay this way of course.

  2. Olly · 2008-12-15 16:42 · #

    Does this mean anybody with the Adblock Filterset.G Updater add-on should disable it?

    Reply from Wladimir Palant:

    Filterset.G downloads haven’t been compromised – yet. Not that using Filterset.G is recommended anyway (

  3. Dave · 2008-12-15 18:10 · #

    You might want to consider updating your FAQ entry about Filterset.G to mention its seemingly unsupported status. It currently just notes various incompatibilities and inefficiencies. I suggest you add a point stating something to the effect of “no one’s minding the store”, maybe even mentioning this incident as proof that it’s not properly maintained.

  4. robcee · 2008-12-15 19:03 · #

    I’d recommend disabling FTP on your server altogether. It uses cleartext passwords for authentication and easily sniffed.

    Sorry to hear you got pwnd. :(

    Reply from Wladimir Palant:

    Me? No, isn’t my server. I disabled all unencrypted FTP here a while ago, only FTPS is allowed.

  5. robcee · 2008-12-15 19:35 · #

    ah, my mistake. :)

  6. Bob · 2008-12-18 19:44 · #

    Apparently the whole site will be taken down.

    “ will be PERMANTENLY taken down within the next week. I’m out of donation money, and I can’t afford to keep the site up out of pocket. Sorry.”

    Reply from Wladimir Palant:

    Yes, I noticed as well. Doesn’t seem to be a reaction to this blog post however – the defacement page is still there.

Commenting is closed for this article.