July 5, 2011, 10:26AM
Vsftpd FTP Server Download Site Compromised
Comment 
Someone was able to compromise a version of the vsftpd secure FTP server recently, inserting a simple backdoor that gives the attacker a shell on compromised machines. The bad version of the server has been removed and the creator of the app has moved it to a different hosting provider as a precaution.
The creator of vsftpd, security researcher Chris Evans, said in a blog post on Sunday that someone alerted him to the compromise and he subsequently found that one specific version of the server had been infected somehow.
"The backdoor payload is interesting. In response to a :) smiley face in the FTP username, a TCP callback shell is attempted. There is no obfuscation. More interestingly, there's no attempt to broadcast any notification of installation of the bad package. So it's unclear how victims would be identified; and also pretty much guaranteed that any major redistributor would notice the badness. Therefore, perhaps someone was just having some lulz instead of seriously trying to cause trouble," Evans wrote.
Vsftpd is an FTP server designed for use on Unix systems and is meant to be a fast, secure alternative to other free and open source FTP servers. Evans touts the server as being "secure and extremely fast."
The checksum for the compromised version of vsftpd is: 2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5 vsftpd-2.3.4.tar.gz
After finding out about the compromise, Evans said he moved vsftpd to a Google hosting site. An analysis by researchers at Openwall found that the compromised tarball contained some interesting data.
"So, I tried searching for MD5, SHA-1, and SHA-512 of this - no hits on Google web search. Lots of hits for SHA-256, indeed - due to the incident announcement. Thus, chances are that no distro is affected. More info on what's inside the tarball: user/group "user" (either the intruder's username on his/her computer or --owner and --group options argument to tar), "GCC: (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2" inside the .o files. This suggests Ubuntu 11.04, right?," the analysis says.
Recommended Reads
Commenting on this Article is closed.
Today's Most Popular
Most Commented Stories
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (10)
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (11)
-
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you (1)
-
Facebook Cancellation Malware Disguised As Adobe Update Making Rounds (3)
-
HULK DDoS Tool Smash Web Server, Server Fall Down (4)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
20%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
28%
I don’t pay attention to how I access the internet while traveling
14%
Total votes: 65
Follow Threatpost
 |  |  |  |
| Tumblr |
