Before anyone panics, the source tarball for Slackware 13.37 doesn't appear to be the "bad" tarball that Chris Evans mentions here:
http://scarybeastsecurity.blogspot.c...ackdoored.html
Code:
$> sha256sum vsftpd-2.3.4.tar.gz
b466edf96437afa2b2bea6981d4ab8b0204b83ca0a2ac94bef6b62b42cc71a5a vsftpd-2.3.4.tar.gz
I checked str.c for the call to vsf_sysutil_extra() if the user is specified as
and I also checked for the rogue shellcode in sysdeputil.c but I didn't find it, so it looks like the backdoor was uploaded recently.
http://www.h-online.com/security/new...e-1272310.html
Quote:
Chris Evans, aka Scary Beasts, has confirmed that version 2.3.4 of vsftpd's downloadable source code was compromised and a backdoor added to the code. Evans, the author of vsftpd – which is described on its web site as "probably the most secure and fastest FTP server for Unix-like systems" – was alerted on Sunday to the fact that a bad tarball had been downloaded from the vsftpd master site with an invalid GPG signature. It is not known how long the bad code had been online.
The bad tarball included a backdoor in the code which would respond to a user logging in with a user name "" by listening on port 6200 for a connection and launching a shell when someone connects.
Evans has now moved the source code and site to https://security.appspot.com/vsftpd.html, a Google App Engine hosted site. The GPL-licensed source code can be downloaded (direct download) from the same site, along with the GPG signature for validating the download, a step that Evans recommends. Evans says that the lack of obfuscation and lack of victim identification leads him to believe that "perhaps someone was just having some lulz instead of seriously trying to cause trouble".
|