Possibly compromised debian by running backdoor'd ProFTPD
 

Hi all,

I have a server connected to the internet placed in a DMZ that was running ProFTPD. A couple of weeks ago there was a security threat uncovered that would grant access to external users through a buffer overflow. Of course I patched my ProFTPD quite often after that to secure my server.

Now my problem is that the servers of ProFTPD were compromised and that source code with a back-door was released. To make matters worse compromised systems notify the hacker they are infected.

My question is, is there any way to ensure I don't have a root-kit installed short of reinstalling the system?

thanks in advance,
Wriswith.

Hi,

If you run debian, did you update ProFTP via apt-get or synaptic? The news mention only compromised source packages, and the original security bugfix is at least two weeks older than the server hack. You should check when Debian did the last update to their binary package, there's a good chance that these have never been affected. Of course you should run the bugfixed version 1.3.3c.

http://www.net-security.org/secworld.php?id=10243

If you did compile ProFTP yourself, and downloaded the source between Nov 28th and Dec 2nd, your server is likely compromised.

Additionally, you could monitor network activity. Look for the command 'HELP ACIDBITCHEZ' which is mentioned here, or try it yourself on a connection to your server.

Hi,

thanks for the reply, I installed my ProFTP with apt-get install and I am running a Debian squeeze. I hope they didn't update their package list through the ProFTPD public servers. In any case I removed ProFTP and chose to install vsftpd for obvious reasons.

Moved: This thread is more suitable in <Linux Security> and has been moved accordingly to help your thread/question get the exposure it deserves.

If you check the debian packaged for testing(squeeze) the latest version seems to be 1.3.3a
So I guess it shouldn't be a problem since they never used the 1.3.3c