Vsftpd FTP Server Download Site Compromised

Someone was able to compromise a version of the vsftpd secure FTP server recently, inserting a simple backdoor that gives the attacker a shell on compromised machines. The bad version of the server has been removed and the creator of the app has moved it to a different hosting provider as a precaution.

VSFTPDSomeone was able to compromise a version of the vsftpd secure FTP server recently, inserting a simple backdoor that gives the attacker a shell on compromised machines. The bad version of the server has been removed and the creator of the app has moved it to a different hosting provider as a precaution.

The creator of vsftpd, security researcher Chris Evans, said in a blog post on Sunday that someone alerted him to the compromise and he subsequently found that one specific version of the server had been infected somehow.

“The backdoor payload is interesting. In response to a 🙂 smiley face in
the FTP username, a TCP callback shell is attempted. There is no
obfuscation. More interestingly, there’s no attempt to broadcast any
notification of installation of the bad package. So it’s unclear how
victims would be identified; and also pretty much guaranteed that any
major redistributor would notice the badness. Therefore, perhaps someone
was just having some lulz instead of seriously trying to cause trouble,” Evans wrote.

Vsftpd is an FTP server designed for use on Unix systems and is meant to be a fast, secure alternative to other free and open source FTP servers. Evans touts the server as being “secure and extremely fast.”

The checksum for the compromised version of vsftpd is: 2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5 vsftpd-2.3.4.tar.gz

After finding out about the compromise, Evans said he moved vsftpd to a Google hosting site. An analysis by researchers at Openwall found that the compromised tarball contained some interesting data.

“So, I tried searching for MD5, SHA-1, and SHA-512 of this – no hits on
Google web search. Lots of hits for SHA-256, indeed – due to the
incident announcement.

Thus, chances are that no distro is affected.

More info on what’s inside the tarball: user/group “user” (either the
intruder’s username on his/her computer or –owner and –group options
argument to tar), “GCC: (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2″ inside the
.o files. This suggests Ubuntu 11.04, right?,” the analysis says.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.