ProFTPD Server Backdoored

The main server used to distribute the open-source ProFTPD software was compromised over the weekend through the use of a bug in the FTP software itself, and a backdoored version of the software was uploaded and distributed for several days as a result.

The main server used to distribute the open-source ProFTPD software was compromised over the weekend through the use of a bug in the FTP software itself, and a backdoored version of the software was uploaded and distributed for several days as a result.

Because of the compromise, the backdoored version of the ProFTPD software also was synchronized to all of the mirrors that help distribute the software. The attack happened on Sunday, and the maintainers of the open-source project said that they didn’t discover and remove the compromised version of the software until Wednesday. It’s unclear how many compromised copies of the ProFTPD server were downloaded during that time.

The attacker used a bug in the ProFTPD software running on the distribution server to gain access to the machine, and then replaced the source code for version 1.3.3c with the backdoored version. The backdoor planted in the source code enabled an unauthenticated user to gain access to the server running the compromised software.

“The fact that the server acted as the main FTP site for the ProFTPD project (ftp.proftpd.org) as well as the rsync distribution server (rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28 to 2010-12-02 will most likely be affected by the problem. The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon,” the ProFTPD Project maintainers said in an email message. “Users are strongly advised to check systems running the affected code for security compromises and compile/run a known good version of the code.”

The project members have replaced the compromised version with a clean version. Users can check the MD5 hashes of the known good versions at the ProFTPD site.

This is the second attack of this kind against an open-source repository in the last week. Earlier this week, news came out that the site belonging to the GNU Savannah project was compromised and the attackers were able to access restricted project materials.

Suggested articles