Vsftpd FTP Server Download Site Compromised

Author: Dennis Fisher
minute read

Someone was able to compromise a version of the vsftpd secure FTP server recently, inserting a simple backdoor that gives the attacker a shell on compromised machines. The bad version of the server has been removed and the creator of the app has moved it to a different hosting provider as a precaution.

VSFTPDSomeone was able to compromise a version of the vsftpd secure FTP server recently, inserting a simple backdoor that gives the attacker a shell on compromised machines. The bad version of the server has been removed and the creator of the app has moved it to a different hosting provider as a precaution.

The creator of vsftpd, security researcher Chris Evans, said in a blog post on Sunday that someone alerted him to the compromise and he subsequently found that one specific version of the server had been infected somehow.

“The backdoor payload is interesting. In response to a 🙂 smiley face in
the FTP username, a TCP callback shell is attempted. There is no
obfuscation. More interestingly, there’s no attempt to broadcast any
notification of installation of the bad package. So it’s unclear how
victims would be identified; and also pretty much guaranteed that any
major redistributor would notice the badness. Therefore, perhaps someone
was just having some lulz instead of seriously trying to cause trouble,” Evans wrote.

Vsftpd is an FTP server designed for use on Unix systems and is meant to be a fast, secure alternative to other free and open source FTP servers. Evans touts the server as being “secure and extremely fast.”

The checksum for the compromised version of vsftpd is: 2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5 vsftpd-2.3.4.tar.gz

After finding out about the compromise, Evans said he moved vsftpd to a Google hosting site. An analysis by researchers at Openwall found that the compromised tarball contained some interesting data.

“So, I tried searching for MD5, SHA-1, and SHA-512 of this – no hits on
Google web search. Lots of hits for SHA-256, indeed – due to the
incident announcement.

Thus, chances are that no distro is affected.

More info on what’s inside the tarball: user/group “user” (either the
intruder’s username on his/her computer or –owner and –group options
argument to tar), “GCC: (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2″ inside the
.o files. This suggests Ubuntu 11.04, right?,” the analysis says.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.