Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ProFTPD 1.3.3c source compromised 2010-11-28 to 2010-12-02
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lyallp
Veteran
Veteran


Joined: 15 Jul 2004
Posts: 1263
Location: Adelaide/Australia

PostPosted: Thu Dec 02, 2010 11:07 pm    Post subject: ProFTPD 1.3.3c source compromised 2010-11-28 to 2010-12-02 Reply with quote

ProFTPD 1.3.3c compromised at the source level news article


Quoting the web site.
Quote:
"The fact that the server acted as the main FTP site for the ProFTPD project (ftp.proftpd.org) as well as the rsync distribution server (rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28 to 2010-12-02 will most likely be affected by the problem," wrote TJ Saunders, the ProFTPD maintainer, in the warning sent to the subscribers of the project's mailing list on SourceForge.


Mine was updated on the 11-Nov-2010, so I am safe, but what about you?

Unstuck. -- desultory
_________________
...Lyall
Back to top
View user's profile Send private message
zeroth
Tux's lil' helper
Tux's lil' helper


Joined: 27 Feb 2006
Posts: 128

PostPosted: Fri Dec 03, 2010 4:22 pm    Post subject: Back door in ProFTPD FTP server Reply with quote

I don't know if proftpd in portage has been afected, but I cant find anyone else discussing this so figured I better mention it.

http://www.h-online.com/open/news/item/Back-door-in-ProFTPD-FTP-server-1146592.html

the article:

Quote:

Unknown attackers penetrated the server hosting the open source ProFTPD FTP server project and concealed a back door in the source code. The back door provides the attackers with complete access to systems on which the modified version of the server has been installed. On installation, the modified version informs the group behind the back door by contacting an IP address in the Saudi Arabia area. Entering the command 'HELP ACIDBITCHEZ' results in the modified server displaying a root shell.

Ironically, to place their back door, the attackers used a zero day vulnerability in ProFTPD itself, which the developers were using to make the source code available to users. The modification was carried out on the 28th November and discovered and reverted on 1st December. Because the project's main server, which also feeds various mirrors via rsync, was affected, the modified code has probably been delivered via official mirrors right up until today.

Users can use the MD5 hash or PGP signature to determine whether they have downloaded the bad version of the source code. The developers have not revealed any details of the vulnerability used to penetrate the project server. The attackers may have exploited the still unpatched vulnerability in the SQL module highlighted in the hacker magazine Phrack in mid November.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 31993
Location: 56N 3W

PostPosted: Fri Dec 03, 2010 4:58 pm    Post subject: Reply with quote

zeroth,

Code:
/usr/portage/net-ftp/proftpd $ ls -l
total 57
-rw-r--r-- 1 root root 42043 Nov 16 13:06 ChangeLog
-rw-r--r-- 1 root root  2375 Nov 16 13:06 Manifest
drwxr-xr-x 2 root root  1024 Nov 16 13:06 files
-rw-r--r-- 1 root root  1671 Nov 16 13:06 metadata.xml
-rw-r--r-- 1 root root  7180 Nov 14 17:36 proftpd-1.3.3c.ebuild


This shows that portages proftpt was updated in mid November. The manifest checks will have failed against the compromised binary.
Any Gentoo users that remade the manifest to match the download while the compromised version was being distributed will have the compromise.

MD5sum matches prove nothing any more. Its become trivial to generate a file with any payload you want that has the same MD5sum as any given file.
Thats why Gentoo no longer uses MD5 for validating downloads or for password hashes.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Bircoph
Apprentice
Apprentice


Joined: 27 Jun 2008
Posts: 258
Location: Moscow

PostPosted: Fri Dec 03, 2010 9:26 pm    Post subject: Reply with quote

Hmm, this is not the first critical security flaw in proftpd for the last years.
What makes this flaw one the most epic fail I ever saw, is that they failed to update their own ftp server and were hacked that way.

Really, if you care about security, you should use other daemons like vsftpd.
_________________
Per aspera ad astra!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum