10

Say I make a typo in the host name.

Are my credentials now somewhere in the wrong hosts server log?

Should I go about changing my credentials just in case now?

Serhiy
  • 203
  • 1
  • 5

4 Answers4

7

Yes. There are two risks.

Risk #1. The credentials are sent in the clear to whatever host you type. If you mis-type the host, you've sent your credentials to some other host entirely, which is not so good. The risk is probably fairly modest in the grand scheme of things, because odds are that most typos in the domain name will not resolve to any real host, but still, there is a risk there.

Risk #2. The credentials are sent in the clear. Let me emphasize that again: in the clear. Yup, that's right. Your username and password is not encrypted. This means that anyone who can eavesdrop on your traffic can capture your credentials, even if you type the hostname correctly. This is bad, and is arguably much worse than Risk #1.

Sending username and password in the clear is not a good idea. For this reason, you should not use FTP (except for anonymous FTP). If you need to transfer files between hosts, I recommend using SSH, a network file system, or possibly connecting to a web site via HTTPS and downloading the file from there.

D.W.
  • 98,420
  • 30
  • 267
  • 572
7

All of the answers thus far give the risks of using FTP, but you haven't told us whether there actually is an FTP listening on the mistyped domain (or even if the mistyped domain resolves correctly), what value the information on the FTP server has, and whether changing the password is trivial or not. This kind of information helps to create an appropriate risk-tailored response.

As both Incognito and D.W. state, your FTP credentials are sent in the clear, so any intervening system that wants to log packets could have your username and password regardless of whether the domain was typed correctly or not. Not many systems are actively going to be logging all packets.

If the domain does not resolve, then you are no worse off than if you typed the domain correctly. There are intervening systems.

If the domain does resolve, then you could attempt to verify if there is an FTP server listening on the remote end. If there is no FTP server, then it is unlikely anyone is logging packets. If there is, then you may want to consider that as part of the risk analysis.

If the domain exists, then you could also attempt to see what Google knows about them (and/or whois). If they appear to host questionable content, then you may want to consider changing the password. Gather some information on the domain and add that to your risk analysis.

logicalscope
  • 6,344
  • 3
  • 25
  • 38
  • Thanks for the thorough explanation. The name does resolve. It is a parking page. How can I test to see if there is an FTP listening there? – Serhiy Mar 02 '12 at 21:14
  • 1
    I would just suggest try connecting to port 21 with an FTP client or telnet. Don't try multiple times, mind you. You made a mistake the first time: there's nothing suspicious in mistakes. But making the same "mistake" 100 times is likely going to draw some attention at which point they may start logging. So hopefully, your domain misspelling error was not part of an automated script. – logicalscope Mar 02 '12 at 22:01
  • Op figured it out... simply tried to connect to it and it told me Access denied. Guess they are listening. – Serhiy Mar 02 '12 at 22:01
  • Haha, thanks for the update, and advice. Was typing that message up right before you posted. – Serhiy Mar 02 '12 at 22:02
  • When you tried to connect, did you actually get to a stage where you were giving it a username and password, or did the connection merely close and cause your FTP client to issue a potentially ambiguous "access denied" message? That is, is port 21 actually listening? $ telnet misspelled-domain.net 21 should respond with text messages of some form if it is actually hosting anything on that port. – logicalscope Mar 02 '12 at 22:48
  • telnet seems to be off in my Win 7 environment, and not being my machine I'd rather not tweak it too much. I was however using WinSCP with the user/pass saved in the Stored sessions. The response I got did seem a bit like there is an FTP server on said domain. First stating waiting for a welcome message, then an access denied, and not your typical timeout. – Serhiy Mar 06 '12 at 14:19
4

Anything you send over the network may be logged. Whether or not they actually do log them is not something we can determine with certainty.

As a side-note, if this is simply FTP (not an encrypted FTP session) then your passwords are already exposed as raw-text over the network.

Incognito
  • 5,204
  • 5
  • 27
  • 31
  • Yeah... I'm aware of that... not much I can do. I was just mostly concerned with the credentials pinging the host of some random parking page, and whether that should be a cause for concern. – Serhiy Mar 02 '12 at 16:51
  • No there's not much you can do besides taking over the box and inspecting every log... generally speaking, if you can start using SSH keys for that login you'll avoid many problems such as this. – Incognito Mar 02 '12 at 17:18
0

Yes, your password is sent in clear text to the server, so the host running the FTP can have your credentials. Either by running a modified standard FTP server or by running a packet capture program.

Aki
  • 762
  • 4
  • 14