digip Posted December 6, 2010 Share Posted December 6, 2010 (edited) Whether you run it at home, work, your website, etc, be sure to find out if you are vulnerable. This is not a matter of some flaw that could lead to compromise from a remote attack, but instead this was planted directly in the source files for all synced distributors of the legit software, leaving any new installs or upgrades vulnerable to attack if they met the following criteria. == ProFTPD Compromise Report == On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor. The unauthorized modification of the source code was noticed by Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on Wednesday, December 1 and fixed shortly afterwards. The fact that the server acted as the main FTP site for the ProFTPD project (ftp.proftpd.org) as well as the rsync distribution server (rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28 to 2010-12-02 will most likely be affected by the problem. The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon. Users are strongly advised to check systems running the affected code for security compromises and compile/run a known good version of the code. To verify the integrity of the source files, use the GPG signatures available on the FTP servers as well on the ProFTPD homepage at Read more: http://www.exploit-db.com/exploits/15662/ Edited December 6, 2010 by digip Quote Link to comment Share on other sites More sharing options...
digininja Posted December 6, 2010 Share Posted December 6, 2010 If anyone is interested in playing with exploits/trojans and getting an idea how they work this is a great one to start with. The actual backdoor is a single line of code and then there is a call home script and a modification to the configure file to get it all in place and tidy up. I don't like the fact it was done but it is a very neat bit of work that is definitely worth looking at. Quote Link to comment Share on other sites More sharing options...
digip Posted December 6, 2010 Author Share Posted December 6, 2010 If anyone is interested in playing with exploits/trojans and getting an idea how they work this is a great one to start with. The actual backdoor is a single line of code and then there is a call home script and a modification to the configure file to get it all in place and tidy up. I don't like the fact it was done but it is a very neat bit of work that is definitely worth looking at. I'd be more interested in how they got into the ProFTPD site to seed all the backdoors. Thats a pretty epic hack, but not the first of its kind. No one is safe from this sort of thing, its just a matter of whether or not its detected or known about. There was the LCD Picture frame fiasco from a few years ago, then there was Windows itself that used to install malware to users when updating (I think) Internet Explorer in one of its .chm Help files back in the day, and there was the iPods that shipped with a windows virus and would infect the system when plugged in for the first time via USB. There were even the Cisco or Juniper routers (can't remember who exactly) that shipped with hardware backdoors and faulty encryption keys. One of my Cisco teachers who works for an Aeronautics company had that happen to them and all the hardware had to be destroyed due to backdoors put in the hardware itself before it shopped from an overseas order. I just wonder how they catch these sort of things before deployment in the production environment, because they caught it before they installed any of the devices. Quote Link to comment Share on other sites More sharing options...
digininja Posted December 6, 2010 Share Posted December 6, 2010 Hopefully they will do what apache do and do a full write up on it when they've worked out what happened. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted December 6, 2010 Share Posted December 6, 2010 Could it have been an insider, or they somehow overlooked their security and someone managed to break in. Quote Link to comment Share on other sites More sharing options...
digininja Posted December 6, 2010 Share Posted December 6, 2010 This is what they think happened http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org On Sunday, the 28th of November 2010 around 20:00 UTC the maindistribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor. The unauthorized modification of the source code was noticed by Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on Wednesday, December 1 and fixed shortly afterwards. It doesn't say if they were actually running their own software on the FTP server so: * They don't run the latest version of their own code * They run other people code on their ftp server * There is an as yet undisclosed 0-day in their server Quote Link to comment Share on other sites More sharing options...
c0r Posted December 6, 2010 Share Posted December 6, 2010 HELP ACIDBITCHEZ does the trick proftpd c Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted December 7, 2010 Share Posted December 7, 2010 (edited) We're in the process of investigating the compromised host and will provide additional information if and as it becomes available. Source: http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org I hope they take that as a lesson and learn from the incident and their mistakes. So to prevent future attacks from happening again. Edited December 7, 2010 by Infiltrator Quote Link to comment Share on other sites More sharing options...
digip Posted December 7, 2010 Author Share Posted December 7, 2010 We're in the process of investigating the compromised host and will provide additional information if and as it becomes available. Source: http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org I hope they take that as a lesson and learn from the incident and their mistakes. So to prevent future attacks from happening again. Thats all fine and dandy, but there is no protection if it was a non-disclosed 0-day in their server somewhere. Might not of even been a flaw in their own software. Could have been a third party issue or server vuln no one knows about. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted December 8, 2010 Share Posted December 8, 2010 Thats all fine and dandy, but there is no protection if it was a non-disclosed 0-day in their server somewhere. Might not of even been a flaw in their own software. Could have been a third party issue or server vuln no one knows about. Yeah I know you can't really prevent 0 days attacks yet, the vulnerability needs to be discovered first by someone, and then a patch worked on, so it can be applied on the flaw. Is there a software that can find vulnerabilities inside a source code of a program? Or the only way to discover a vulnerability is through reverse engineering and looking at thousands of lines of code. Quote Link to comment Share on other sites More sharing options...
digininja Posted December 9, 2010 Share Posted December 9, 2010 Yeah I know you can't really prevent 0 days attacks yet, the vulnerability needs to be discovered first by someone, and then a patch worked on, so it can be applied on the flaw. Is there a software that can find vulnerabilities inside a source code of a program? Or the only way to discover a vulnerability is through reverse engineering and looking at thousands of lines of code. There are quite a few apps that will do static code analysis but they look for bugs rather than deliberate backdoors like this one. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted December 9, 2010 Share Posted December 9, 2010 There are quite a few apps that will do static code analysis but they look for bugs rather than deliberate backdoors like this one. Of course, I read some articles about static code analysis before, but that was on how to reverse engineer a computer worm. But I guess the principle remains the same, if I am not wrong. Quote Link to comment Share on other sites More sharing options...
digip Posted December 9, 2010 Author Share Posted December 9, 2010 Of course, I read some articles about static code analysis before, but that was on how to reverse engineer a computer worm. But I guess the principle remains the same, if I am not wrong. There are source code scanners that check for flaws, but I think you miss the point. Their source code didn't have a flaw. The attackers managed to gain access to their server and then placed a back door in their code base that synced to all the other mirroring servers. This didn't make the software flawed, it was an intentional backdoor, not some piece of code vulnerable to a heap sspray or buffer overflow. So when people updated to that specific version, their servers then became vulnerable to attack through the back door added by the attackers. It hasn't been disclosed yet if it was a flaw in ProFTPD itself that gave them access to their files, or some other mechanism as to how they obtained access to their server, but either way, the end result was a poisoned distribution of the that version of the program. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.