View previous topic :: View next topic |
Author |
Message |
lyallp Veteran
Joined: 15 Jul 2004 Posts: 1557 Location: Adelaide/Australia
|
Posted: Thu Dec 02, 2010 11:07 pm Post subject: ProFTPD 1.3.3c source compromised 2010-11-28 to 2010-12-02 |
|
|
ProFTPD 1.3.3c compromised at the source level news article
Quoting the web site.
Quote: | "The fact that the server acted as the main FTP site for the ProFTPD project (ftp.proftpd.org) as well as the rsync distribution server (rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28 to 2010-12-02 will most likely be affected by the problem," wrote TJ Saunders, the ProFTPD maintainer, in the warning sent to the subscribers of the project's mailing list on SourceForge. |
Mine was updated on the 11-Nov-2010, so I am safe, but what about you?
Unstuck. -- desultory _________________ ...Lyall |
|
Back to top |
|
|
zeroth Tux's lil' helper
Joined: 27 Feb 2006 Posts: 128
|
Posted: Fri Dec 03, 2010 4:22 pm Post subject: Back door in ProFTPD FTP server |
|
|
I don't know if proftpd in portage has been afected, but I cant find anyone else discussing this so figured I better mention it.
http://www.h-online.com/open/news/item/Back-door-in-ProFTPD-FTP-server-1146592.html
the article:
Quote: |
Unknown attackers penetrated the server hosting the open source ProFTPD FTP server project and concealed a back door in the source code. The back door provides the attackers with complete access to systems on which the modified version of the server has been installed. On installation, the modified version informs the group behind the back door by contacting an IP address in the Saudi Arabia area. Entering the command 'HELP ACIDBITCHEZ' results in the modified server displaying a root shell.
Ironically, to place their back door, the attackers used a zero day vulnerability in ProFTPD itself, which the developers were using to make the source code available to users. The modification was carried out on the 28th November and discovered and reverted on 1st December. Because the project's main server, which also feeds various mirrors via rsync, was affected, the modified code has probably been delivered via official mirrors right up until today.
Users can use the MD5 hash or PGP signature to determine whether they have downloaded the bad version of the source code. The developers have not revealed any details of the vulnerability used to penetrate the project server. The attackers may have exploited the still unpatched vulnerability in the SQL module highlighted in the hacker magazine Phrack in mid November.
|
|
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54216 Location: 56N 3W
|
Posted: Fri Dec 03, 2010 4:58 pm Post subject: |
|
|
zeroth,
Code: | /usr/portage/net-ftp/proftpd $ ls -l
total 57
-rw-r--r-- 1 root root 42043 Nov 16 13:06 ChangeLog
-rw-r--r-- 1 root root 2375 Nov 16 13:06 Manifest
drwxr-xr-x 2 root root 1024 Nov 16 13:06 files
-rw-r--r-- 1 root root 1671 Nov 16 13:06 metadata.xml
-rw-r--r-- 1 root root 7180 Nov 14 17:36 proftpd-1.3.3c.ebuild |
This shows that portages proftpt was updated in mid November. The manifest checks will have failed against the compromised binary.
Any Gentoo users that remade the manifest to match the download while the compromised version was being distributed will have the compromise.
MD5sum matches prove nothing any more. Its become trivial to generate a file with any payload you want that has the same MD5sum as any given file.
Thats why Gentoo no longer uses MD5 for validating downloads or for password hashes. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Bircoph Developer
Joined: 27 Jun 2008 Posts: 261 Location: Moscow
|
Posted: Fri Dec 03, 2010 9:26 pm Post subject: |
|
|
Hmm, this is not the first critical security flaw in proftpd for the last years.
What makes this flaw one the most epic fail I ever saw, is that they failed to update their own ftp server and were hacked that way.
Really, if you care about security, you should use other daemons like vsftpd. _________________ Per aspera ad astra! |
|
Back to top |
|
|
|