On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised.  The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor.

The fact that the server acted as the main FTP site for the ProFTPD project (ftp.proftpd.org), as well as the rsync distribution server (rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28 to 2010-12-02 will most likely be affected by the problem.

The attacker did not touch the repositories, instead he managed to change the .gz and .bz2 file to include the altered source code that will enable him to:

1. track down  the computer used to compile the source code
2. plant a backdoor that will enable him to escalate to root privileges on the proftpd installed server.

The first attempt done was changing the configure file and adding the tests.c file in the tests directory. The attacker added 4 lines in the configure file as shown below.

The first step to be done before compiling the source code is to run ./configure. When a user runs ./configure, the tests.c file found in the tests directory which is a file added by the attacker will be compiled without the user’s consent. This will then produce an executable file name tests. The code in line 3 will then run tests to send information to a server at 212.x.y.z

Figure 2 is a snippet from tests.c showing that the program will connect to 212.x.y.z on port 9090 and send the string “GET /AB HTTP/1.0\r\n\r\n” which is a Get method for the HTTP protocol. This will tell the attacker which IP is using the compromised source code and might be a potential victim.

For the second payload, the attacker has altered the help.c file in the src directory.

The above line is added at line 129 in the pr_help_add_response function. This line of code will be executed when ftp client sends HELP ACIDBITCHEZ to the vulnerable proftpd even without user authentication. It will then run /bin/sh or /sbin/sh and give the shell to the attacker with root privileges. Figure 3 shows the vulnerable ftpd giving root privileges to an unauthenticated user.

Users are strongly advised to make sure they are not using the compromised program. Below are the md5sum of the source tarball for version 1.3.3c.

8571bd78874b557e98480ed48e2df1d2  proftpd-1.3.3c.tar.bz2
4f2c554d6273b8145095837913ba9e5d  proftpd-1.3.3c.tar.gz