Open-source ProFTPD hacked, backdoor planted in source code

Open-source ProFTPD hacked, backdoor planted in source code

Summary: The open-source ProFTPD project has been hacked by unknown attackers who planted a backdoor in the source code.

SHARE:

The open-source ProFTPD project has been hacked by unknown attackers who planted a backdoor in the source code.

As a result of the hack, the project's main FTP server, as well as all of the mirror servers, have carried compromised versions of the ProFTPD1.3.3c source code, from the November 28 2010 to December 2 2010.

ProFTPD, which positions itself as a secure FTP server for Linux and Unix based operating system, urged all users who run versions of ProFTPD which were downloaded and compiled in this time window to check their systems for security compromises and install unmodified versions of ProFTPD.

Here's the skinny on the attack:follow Ryan Naraine on twitter

On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor.

The fact that the server acted as the main FTP site for the ProFTPD project (ftp.proftpd.org) as well as the rsync distribution server (rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28 to 2010-12-02 will most likely be affected by the problem.

ProFTPD said the backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon.

Topics: Security, Hardware, Open Source, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • Back door, come on in!

    Poorly managed code repository is unacceptable.<br>I use vsftpd--the best.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Open-source ProFTPD hacked, backdoor planted in source code

      @Dietrich T. Schmitz - just hope nobody manages to slip backdoors into vsftpd then.

      And it makes you wonder ... if they managed to slip backdoors into a (relatively) moderate-sized codebase, I wonder how many other backdoors have been slipped into more substantial (or poorly managed) open-source projeccts.
      bitcrazed
      • Not possible with gpg protected key ring

        @bitcrazed
        nt
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • RE: Open-source ProFTPD hacked, backdoor planted in source code

        @Dietrich T. Schmitz, Your Linux Advocate<br><br>yes, it is possible. the keyring doesn't prevent an attacker who successfully breaks into the hosting server from injecting malicious code. it may make it more difficult, but don't delude yourself into believing that it is impossible.<br><br><b><i>*EVERYTHING*</i></b> can be breached, no matter how secure we believe it to be.<br><br>this is why fast full disclosure of vulnerabilities and compromises is so very important. imagine the security nightmare users of this product would have had if the ProFTPD staff had quietly covered this up and hidden the breach?<br><br>on the flip side, it looks like within a window of 5 days, the ProFTPD team has removed the modified sources, reported the breach, and i believe patched the vulnerability that allowed the breach in the first place. there are other vendors who sometimes won't even acknowledge a vulnerability exists that quickly after proof of exploits in the wild, let alone announce or patch the vulnerability...
        erik.soderquist
    • RE: Open-source ProFTPD hacked, backdoor planted in source code

      @Dietrich T. Schmitz, Your Linux Advocate
      Which just goes to show that linux and its repositories can't be trusted.
      Loverock Davidson
      • At it again Alan?

        @Loverock Davidson
        Utter nonsense per usual.
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • LOL

        @Loverock Davidson
        For a guy that runs Debian servers.
        daikon
      • The source code in CVS was not affected.

        @Loverock Davidson Troll Troll.. hmm should be some Xmas music for you! Jack #@$! About 5 days and Done Hmm. Try to tell some one that cares about your Fud!
        mintalaska
    • RE: Open-source ProFTPD hacked, backdoor planted in source code

      Great post! He needs more recognition.<a href="http://www.bootoutlet.us">ugg boots outlet</a>
      tank33
    • RE: Open-source ProFTPD hacked, backdoor planted in source code

      Lovely post! He's awesome.<a href="http://www.discountuggs.biz">discount uggs</a>
      tank33
    • RE: Open-source ProFTPD hacked, backdoor planted in source code

      BEST POST EVER <a href="http://www.watch-replica.org.uk">replica watches</a>
      tank33
    • RE: Open-source ProFTPD hacked, backdoor planted in source code

      <a href="http://www.replicawatchesbest.org">swiss replica watches</a>
      xiaodou
    • RE: Open-source ProFTPD hacked, backdoor planted in source code

      <a href="http://www.replicacool.org">imitation fendi</a>
      xiaodou
    • RE: Open-source ProFTPD hacked, backdoor planted in source code

      Second, purchases long-term Treasury securities also fork over a matching amount of shorter-term <a href="http://www.superwatches.org.uk">super watches</a> Treasury securities string allied a routine that assets besides the Fed???s report sheet would not buy for fictitious <a href="http://www.superwatches.org.uk/iwc-c-36.html">Iwc Watches Sales UK</a>
      aqua08
  • Tragic but predictable

    Open source has claimed another victim. Ruth-Kelly Fizzwizzle was murdered on Saturday a few days after she installed ProFTPD. Open source, widely known to be the software of choice of violent serial killers, allows these predators to find their victims via backdoors covertly inserted. Sheriff Roscoe Coltrane implored the residents of his small community to not repeat the mistake made by Mrs. Fizzwizzle and to buy their software. He stated in a press conference on Wednesday, "It's just not worth the risk and in the long run, the software costs just as much due to increased administrative costs." Mrs. Fizzwizzle is survived by her son who has recently replaced his file system. "I read about Mr. Reiser yesterday, and I just can't believe how lucky I am to still be alive."
    jackbond
    • RE: Open-source ProFTPD hacked, backdoor planted in source code

      @jackbond Thank you. I enjoyed that.
      No one special
    • RE: Tragic, but predictable

      @jackbond

      This comment is quite interesting:

      `Sheriff Roscoe Coltrane implored the residents of his small community to not repeat the mistake made by Mrs. Fizzwizzle and to buy their software. `

      you forgot to include `as Sheriff Coltrane was handed a "campaign contribution" from the local MS rep`.
      fatman65535
      • RE: Open-source ProFTPD hacked, backdoor planted in source code

        @fatman65535

        Wow are you people stupid.
        jackbond
    • Wow.

      @jackbond

      you do get points for originality
      SonofaSailor
  • RE: Open-source ProFTPD hacked, backdoor planted in source code

    Backdoors everywhere. Seems like you can't avoid them anymore...Windows, Linux. Same. They're averywhere and watching you.
    Think you're safe ? Think twice.
    neeeko