ProFTPD.org Compromised, Backdoor Distributed

← Back to Stories (view on slashdot.org)

ProFTPD.org Compromised, Backdoor Distributed

Posted by CmdrTaco on Thursday December 2, 2010 @01:40AM from the scary-world-we-live-in dept.

Orome1 writes "A warning has been issued by the developers of ProFTPD, the popular FTP server software, about a compromise of the main distribution server of the software project that resulted in attackers exchanging the offered source files for ProFTPD 1.3.3c with a version containing a backdoor. It is thought that the attackers took advantage of an unpatched security flaw in the FTP daemon in order to gain access to the server."

4 of 152 comments (clear)

Min score:

Reason:

Sort:

Re:FTP by kyrio · 2010-12-02 01:44 · Score: 3, Insightful

I'm pretty sure the unpatched security flaw was the protocol itself. Plain text passwords FTW.
Anyone checking these source file changes? by digitaldc · 2010-12-02 01:46 · Score: 3, Insightful

Isn't there some type of review process for all changes? Or can you just go in and change things willy-nilly?

Maybe they need some more code oversight, just my opinion.

--
He who knows best knows how little he knows. - Thomas Jefferson
1. Re:Anyone checking these source file changes? by fuzzyfuzzyfungus · 2010-12-02 02:00 · Score: 3, Insightful
  
  I suspect that the real problem would be chicken-and-egg adoption issues. Anybody with competence in the right area could probably bang out a functioning prototype firefox plugin addressing either the cases of SSLed sites also being expected sign their binaries with their existing SSL setup, or the FOSSier case of developers signing with their GPG keys and posting MD5 hashes in approximately an afternoon.
  
  Trouble is, unless broadly and swiftly adopted, people won't see the "this package is not cryptographically verified" message as being problematic in the slightest, if that is the case, the attacker can simply not sign, and nobody will care(the current situation on Windows, which offers cryptographic verification of installers before install is largely this way. Enough outfits, even fairly respectable ones, just don't bother, that the security gains are minimal, despite the mechanism being technically and mathematically sound). If you make the message scarier and/or harder to get around, people will just go with something that doesn't get in their way. Only if lack of signature was considered a shocking fault would anybody really be saved...
  
  Architecturally and mathematically, the solution works just fine; but it fails on the critical adoption mass problem...
Quite. by Spad · 2010-12-02 01:49 · Score: 4, Insightful

To confirm their integrity, they are advised to verify the MD5 sums and PGP signatures of the downloaded files and compare them to that of the legitimate source tarballs.
Because the people who compromised your server and uploaded a trojaned version of your software would *never* think to upload their own MD5 sums and PGP signatures to match...