Critical: ProFTPD 1.3.3c, Source compromised

mmx

mmx

Verified User
Joined
May 8, 2005
Messages
130
Location
Montreal, QC
Looks like ftp.proftpd.org was compromised and the ProFTPD source code was altered with a backdoor.

Since this was after November 28th (I'm sure DA programmers downloaded a copy of the source way before that) it's still food for thought!

From the security newsletter:
ProFTPD Compromise Report

On Sunday, the 28th of November 2010 around 20:00 UTC the main
distribution server of the ProFTPD project was compromised. The
attackers most likely used an unpatched security issue in the FTP daemon
to gain access to the server and used their privileges to replace the
source files for ProFTPD 1.3.3c with a version which contained a backdoor.
The unauthorized modification of the source code was noticed by
Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on
Wednesday, December 1 and fixed shortly afterwards.

The fact that the server acted as the main FTP site for the ProFTPD
project (ftp.proftpd.org) as well as the rsync distribution server
(rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who
downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28
to 2010-12-02 will most likely be affected by the problem.

The backdoor introduced by the attackers allows unauthenticated users
remote root access to systems which run the maliciously modified version
of the ProFTPD daemon.
Click to expand...
 
Last edited:
There's more info:

Users are strongly advised to check systems running the affected code for
security compromises and compile/run a known good version of the code.
To verify the integrity of the source files, use the GPG signatures
available on the FTP servers as well on the ProFTPD homepage at:

http://www.proftpd.org/md5_pgp.html.

The MD5 sums for the source tarballs are:

8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2
4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz

The PGP signatures for the source tarballs are:

proftpd-1.3.3c.tar.bz2:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkzLAWYACgkQt46JP6URl2qu3QCcDGXD+fRPOdKMp8fHyHI5d12E
83gAoPHBrjTFCz4MKYLhH8qqxmGslR2k
=aLli
-----END PGP SIGNATURE-----

proftpd-1.3.3c.tar.gz:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkzLAW0ACgkQt46JP6URl2ojfQCfXy/hWE8G5mhdhdLpaPUZsofK
pO8Anj+uP0hQcn1E/CEUddI0mezlSCmg
=e8el
-----END PGP SIGNATURE-----

The PGP key of TJ Saunders has been used to sign the source tarballs;
it is available via MIT's public keyserver.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkz23FwACgkQt46JP6URl2pQ3QCfTWAZ8ZTGvruPD1pRJUpLM3gw
hUsAoLI4YnmXVgUIVhU2vFWD1rOYffEY
=3m3x
-----END PGP SIGNATURE-----
 
mmx said:
Since this was after November 28th (I'm sure DA programmers downloaded a copy of the source way before that) it's still food for thought!
Click to expand...

Yes, they did. Because I upgraded to ProFTPD 1.3.3c using custombuild the 2nd November, so the custombuild version should not be affected.
 
I find it scarier that ProFTPd was hacked in the first place...Since a new version hasn't been released, it means anybody running ProFTPd is vulnerable.
 
interfasys said:
I find it scarier that ProFTPd was hacked in the first place...Since a new version hasn't been released, it means anybody running ProFTPd is vulnerable.
Click to expand...
No, it means anyone who installed the comprimised source code is vulnerable. Its not the version, its based on when you installed it.
 
The main worry is how it got hacked in the first place by the hackers, as in gaining entry to the server.
 
@propcgamer - It's not what I'm talking about, see Peter's comment. Because ProFTPd is still at 1.3.3c, it means that whatever hackers used to gain access would still work on our installations.
 
interfasys said:
@propcgamer - It's not what I'm talking about, see Peter's comment. Because ProFTPd is still at 1.3.3c, it means that whatever hackers used to gain access would still work on our installations.
Click to expand...
Only if the breakin was through FTP.

Jeff
 
You must log in or register to reply here.
Back
Top