# ProFTPD 1.3.3c source compromised  2010-11-28 to 2010-12-02

## lyallp

ProFTPD 1.3.3c compromised at the source level news article

Quoting the web site.

 *Quote:*   

> "The fact that the server acted as the main FTP site for the ProFTPD project (ftp.proftpd.org) as well as the rsync distribution server (rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28 to 2010-12-02 will most likely be affected by the problem," wrote TJ Saunders, the ProFTPD maintainer, in the warning sent to the subscribers of the project's mailing list on SourceForge.

 

Mine was updated on the 11-Nov-2010, so I am safe, but what about you?

Unstuck. -- desultory

----------

## zeroth

I don't know if proftpd in portage has been afected, but I cant find anyone else discussing this so figured I better mention it.

http://www.h-online.com/open/news/item/Back-door-in-ProFTPD-FTP-server-1146592.html

the article:

 *Quote:*   

> 
> 
> Unknown attackers penetrated the server hosting the open source ProFTPD FTP server project and concealed a back door in the source code. The back door provides the attackers with complete access to systems on which the modified version of the server has been installed. On installation, the modified version informs the group behind the back door by contacting an IP address in the Saudi Arabia area. Entering the command 'HELP ACIDBITCHEZ' results in the modified server displaying a root shell.
> 
> Ironically, to place their back door, the attackers used a zero day vulnerability in ProFTPD itself, which the developers were using to make the source code available to users. The modification was carried out on the 28th November and discovered and reverted on 1st December. Because the project's main server, which also feeds various mirrors via rsync, was affected, the modified code has probably been delivered via official mirrors right up until today.
> ...

 

----------

## NeddySeagoon

zeroth,

```
/usr/portage/net-ftp/proftpd $ ls -l

total 57

-rw-r--r-- 1 root root 42043 Nov 16 13:06 ChangeLog

-rw-r--r-- 1 root root  2375 Nov 16 13:06 Manifest

drwxr-xr-x 2 root root  1024 Nov 16 13:06 files

-rw-r--r-- 1 root root  1671 Nov 16 13:06 metadata.xml

-rw-r--r-- 1 root root  7180 Nov 14 17:36 proftpd-1.3.3c.ebuild
```

This shows that portages proftpt was updated in mid November.  The manifest checks will have failed against the compromised binary.

Any Gentoo users that remade the manifest to match the download while the compromised version was being distributed will have the compromise.

MD5sum matches prove nothing any more. Its become trivial to generate a file with any payload you want that has the same MD5sum as any given file.

Thats why Gentoo no longer uses MD5 for validating downloads or for password hashes.

----------

## Bircoph

Hmm, this is not the first critical security flaw in proftpd for the last years.

What makes this flaw one the most epic fail I ever saw, is that they failed to update their own ftp server and were hacked that way.

Really, if you care about security, you should use other daemons like vsftpd.

----------

