Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 12-04-2010, 07:06 AM   #1
LQ Newbie
Registered: Dec 2010
Posts: 5

Rep: Reputation: 0
Possibly compromised debian by running backdoor'd ProFTPD

Hi all,

I have a server connected to the internet placed in a DMZ that was running ProFTPD. A couple of weeks ago there was a security threat uncovered that would grant access to external users through a buffer overflow. Of course I patched my ProFTPD quite often after that to secure my server.

Now my problem is that the servers of ProFTPD were compromised and that source code with a back-door was released. To make matters worse compromised systems notify the hacker they are infected.

My question is, is there any way to ensure I don't have a root-kit installed short of reinstalling the system?

thanks in advance,
Old 12-04-2010, 07:20 AM   #2
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 91

If you run debian, did you update ProFTP via apt-get or synaptic? The news mention only compromised source packages, and the original security bugfix is at least two weeks older than the server hack. You should check when Debian did the last update to their binary package, there's a good chance that these have never been affected. Of course you should run the bugfixed version 1.3.3c.

If you did compile ProFTP yourself, and downloaded the source between Nov 28th and Dec 2nd, your server is likely compromised.

Additionally, you could monitor network activity. Look for the command 'HELP ACIDBITCHEZ' which is mentioned here, or try it yourself on a connection to your server.
Old 12-05-2010, 04:24 AM   #3
LQ Newbie
Registered: Dec 2010
Posts: 5

Original Poster
Rep: Reputation: 0

thanks for the reply, I installed my ProFTP with apt-get install and I am running a Debian squeeze. I hope they didn't update their package list through the ProFTPD public servers. In any case I removed ProFTP and chose to install vsftpd for obvious reasons.
Old 12-05-2010, 04:25 PM   #4
LQ Guru
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
Moved: This thread is more suitable in <Linux Security> and has been moved accordingly to help your thread/question get the exposure it deserves.
Old 12-05-2010, 05:15 PM   #5
Registered: Dec 2010
Distribution: Debian testing
Posts: 148

Rep: Reputation: 16
If you check the debian packaged for testing(squeeze) the latest version seems to be 1.3.3a
So I guess it shouldn't be a problem since they never used the 1.3.3c


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post Compromised, Backdoor Distributed win32sux Linux - Security 1 12-02-2010 01:07 PM
SSH Agent running, system compromised?? marco18 Linux - Security 4 08-13-2007 08:37 PM
possibly compromised - what to do? TreeHugger Linux - Security 4 02-04-2005 11:03 PM
System possibly compromised kloppster Linux - Security 7 07-12-2004 03:30 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:12 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration