[SOLVED] ProFTPD Main File Server Hacked, Possible Backdoor Inserted

tronayne · 12-05-2010, 07:46 AM

This was reported in http://indiepropub.com/new-backdoor-...erable/312889/:

Quote:

One of the most popular open-source projects was compromised between Nov. 28 and Dec. 2.

ProFTPD, a file transfer protocol (FTP) server, had its main file server hacked and a version that contained a backdoor trojan was uploaded. Anyone who downloaded version 1.3.3c of the software in that timeframe are vulnerable.

The trojan allows full access to the system by attackers. The ProFTPD project team advised anyone who may be vulnerable to check for compromises and immediately update to a non-compromised version that is available on the website. The team also provided a link that can check the security signatures on their site here.

Analysts have speculated that an unpatched vulnerability in the FTP server daemon running on the ProFTPD site allowed the hackers access to the server. From there it was easy for them to simply replace the legitimate source code with the new version containing the backdoor. The breach was discovered on Dec. 1, and fixed, but due to time lags in servers mirroring the master download site, the warning was issued for anyone downloading the software between Nov. 28 and Dec. 2.

Checking my system,

Code:

ls -l /var/log/packages/proftp*
-rw-r--r-- 1 root root 7835 2010-11-02 07:24 /var/log/packages/proftpd-1.3.3c-x86_64-1_slack13.1

Nope, not between the dates, but if somebody did download from the project server between those dates...

Hope this helps some.

allend · 12-05-2010, 08:08 AM

Also reported here on LQ. http://www.linuxquestions.org/questi...ibuted-847916/

unSpawn · 12-05-2010, 09:04 AM

Indeed. FUPs (if any) to http://www.linuxquestions.org/questi...ibuted-847916/, TIA.