ProFTPD.org Compromised, Backdoor Distributed

Orome1 writes "A warning has been issued by the developers of ProFTPD, the popular FTP server software, about a compromise of the main distribution server of the software project that resulted in attackers exchanging the offered source files for ProFTPD 1.3.3c with a version containing a backdoor. It is thought that the attackers took advantage of an unpatched security flaw in the FTP daemon in order to gain access to the server."

FTP

[kyrio]

People still use FTP?

Re:FTP

[kyrio]

I'm pretty sure the unpatched security flaw was the protocol itself. Plain text passwords FTW.

Re:FTP

[dimethylxanthine]

People still compromise. Now that's impressive.

Re:FTP

Sure they do. Public ftp that is

Re:FTP

[Corporate+Troll]

You'd be surprised... Recently I installed Joomla for someone, and they insisted on having FTP. Apparently FTP support is built-in to Joomla (I know not much about Joomla). I said "simply use sftp", but that was not acceptable. I did restrict the FTP server to trusted IP addresses though.

Re:FTP

[Megane]

How else are you going to upload files from Internet Explorer 6?

Re:FTP

[Rhaban]

People still use Joomla?

Re:FTP

[Corporate+Troll]

Apparently... Guess this is a case of "I know this tool, and I'll use it".

Re:FTP

[thijsh]

Shouldn't be a problem for local use or behind a VPN... other than that it's a bad idea.

Re:FTP

[AndrewNeo]

WebDAV?

Re:FTP

How else are you going to upload files from Internet Explorer 6?

Shared drive?

Re:FTP

[smash]

Who cares? Anyone still on IE6 deserves whatever maltreatment/second-class service they get.

Re:FTP

OP has the same unanswered question that I have. What is the point of FTP today? I mean Google Chrome doesn't even recognize gopher URLs. Apple's Safari screws up FTP sites by mounting them in the Finder. I just can't think of a need for FTP when there is HTTP.

Re:FTP

[Wolvenhaven]

One of our clients where I work required us to modify our application in such a way that they could use FTP on their own server for the file transmission instead of using our already built application which every other one of our clients uses; and yes, it's become the biggest pain to manage and constantly causes issues.

So yea, people still use it, even with much better systems available.

Re:FTP

[kestasjk]

Why not use SSH/SCP for unix or SMB for Windows? (I accept Windows should have an SSH/SCP alternative, and that it's one of PowerShell's few failings, but SMB is okay for encrypted local file transfers)

Re:FTP

[kestasjk]

You'd be surprised.. Recently I installed Invision for someone, and they insisted on having Joomla integration.

Re:FTP

[The+Moof]

I said "simply use sftp", but that was not acceptable.

A better suggestion for the average user would be going FTPS. No tunneling required, it's built right into the protocol.

Re:FTP

[surgen]

Apple's Safari screws up FTP sites by mounting them in the Finder.

It sounds like Safari encountered a URI for which it doesn't handle the protocol, and passed it to the operating system. That's a sensible thing to do.

Mouting a remote directory as if it were a local one, how is that screwing up? Or do you just want the "hey we kind-of implemented this protocol in a receive-only way, it may or may not be completely unusable for your use case, but built into your browser anyway".

Re:FTP

[Mr.+DOS]

The sad part is that people do still use Invision...

Re:FTP

The backdoor trojan which gets installed via an ActiveX exploit will take care of uploading for you.

Re:FTP

[Spazmania]

Yeah, exactly. I used and liked proftpd back in the day, but why is anyone still using an FTP server for anything? The protocol is not secure or reasonably securable. Come on folks, the writing has only been on the wall for 15 years now...

Re:FTP

Automated file drops. FTP is great for this.

I'm not talking about a cron job running a shell script that sends a file through an FTP command. I'm talking about a purpose-built application that builds a data file and sends it via FTP to a remote system for processing.

Security should be handled by a firewall (allow only $sender_IP to connect to port 21), not by the FTP protocol itself. Encryption can be handled by the app that creates the data file. This is how FTP is supposed to work anyway. It's just a dumb pipe. File Transfer Protocol, not File Encryption, Authentication, Authorization, and Transfer Protocol.

Learn to use a tool for what it's for. FTP is for transferring files. Nothing more.

Re:FTP

[Bill,+Shooter+of+Bul]

Why not just use SSH/SCP for windows( it already exists, not difficult to install)?

Re:FTP

[cuncator]

That's assuming everyone on your local net is trustworthy, which pretty much leaves out any network with more than one user on it. For internal transfers you don't really care about securing, though, it's probably fine with appropriate chroot, iptables, etc.

Re:FTP

[a_nonamiss]

FTP isn't secure, but it's got a very low overhead compared to sftp or smb. Still a very efficient way to send very large files over a trusted, reliable LAN. On a gigabit LAN, I get a significantly higher transfer speed than when using smb.

I'm not saying I'd put it in production over the Internet. It's crazy insecure and is a pain in the butt to set up on a firewall, but for fast, simple transfers on a LAN, it's the best protocol out there.

Re:FTP

[JonJ]

You can't write to ftp with Finder, so that argument is moot. Safari or Finder, it's read only anyway.

Re:FTP

[Corporate+Troll]

Says the guy who calls himself "Mr. DOS" ;-)

Re:FTP

Why not use SSH/SCP for unix or SMB for Windows? (I accept Windows should have an SSH/SCP alternative, and that it's one of PowerShell's few failings, but SMB is okay for encrypted local file transfers)

Because SCP and SFTP are slow (not due to encryption, but due to their chatty nature). You can get quite close to wirespeed from FTP even from WAN. With SCP you are lucky to get >10MB/s from WAN. SCP and SFTP are quite slow even in LAN.

Re:FTP

[nschubach]

You missed his point... you can't really blame Safari for passing the URL to the OS to let it open whatever application is associated with ftp:// protocol links. That's the whole idea behind prefixing http:/// and ftp:// in the first place.

The problem lies in the fact that this particular installation OSX likely doesn't have a program installed that can handle writing to ftp:// links.

Re:FTP

[jimicus]

I have been asked on a number of occasions to set up an FTP server.

You would not believe the trouble I have had suggesting SSH/SCP - even from people who develop on Unix and use SSH to log in all day long. I've tried providing a web interface, I've tried providing a link to WinSCP, I've tried pre-installing WinSCP on the person's PC before it even goes on their desk.

In almost every case, it was pretty damn obvious that the person asking for an FTP server had already decided that they were going to have an FTP server, and would not even discuss the idea that there might be alternatives.

Re:FTP

[nschubach]

Yeah, we have an internal FTP server that accepts and stores an average of 60,000 files per day from workstations all over the company. My import job cleans them off after 9 days so at any point in time we have over half a million files sitting on the server. If I had to deal with all those files in SMB or across a share, I'd have to wait hours to be able to do anything with them.

Re:FTP

[An+ominous+Cow+art]

Maybe "Señor TWO" was already taken? :-)

Re:FTP

[SanityInAnarchy]

That's moronic.

First, you've got a purpose-built application. What's stopping you from implementing whatever protocol you want? Why on earth would you use FTP?

Second, IP-based security isn't security.

Third, why would you re-implement encryption, authentication, and authorization in your application when you can get them for free from FTPS, SFTP, HTTPS, etc?

Re:FTP

[mcgrew]

Anyone still on IE6 is at work, where the intranet is dependant on it.

Re:FTP

[StuartHankins]

for fast, simple transfers on a LAN, it's the best protocol out there.

rsync is the tool I prefer.

Re:FTP

[StuartHankins]

We use rsync to distribute internal apps -- the clients hit the server on logon to grab the latest version. It's not complicated and doesn't require any support. If the same version is already installed, it's like 200 bytes transferred per client, which is about as lightweight as you can get.

Re:FTP

[Crudely_Indecent]

Plain text passwords

I'm pretty sure that's not the only way to use ProFTPD.

http://www.proftpd.org/localsite/Userguide/linked/config_ftpoverssh.html

Re:FTP

[nabsltd]

You would not believe the trouble I have had suggesting SSH/SCP - even from people who develop on Unix and use SSH to log in all day long.

Sure I would, because sftp and scp are bog slow compared to ftp, while the encryption overhead on an ssh terminal session isn't really anything compared to unencrypted telnet. Also, ssh logins offer a lot over telnet (key-based login, port forwarding, etc.).

Re:FTP

[Coeurderoy]

Wich prove the point, anybody working for a company that is tolerant of an IT team that is IE6 dependent for its intranet deserve to have a shitty internet experience at least at work...

Re:FTP

[cinderellamanson]

"The problem lies in the fact that this particular installation OSX likely doesn't have a program installed that can handle writing to ftp:// [ftp] links."

Um, Finder asks if you'd like to login as guest or someone specific, so it looks to me like there is no reason to think you can't write with permission.

Re:FTP

[Zero__Kelvin]

Maybe he's Mr. Denial Of Service. No Invision for you!

Re:FTP

[TheRaven64]

I was going to say something similar, but it seems that he is quite correct. The Finder actually has nothing to do with it, it just passes it to the OS, invoking the mount_ftp program. In the man page for mount_ftp, you'll see this in the BUGS section:

mount_ftp only supports mounting read-only

I've obviously never tried writing to a mounted FTP directory - OS X includes a recent version of the BSD ftp client, and I've always used that instead.

Re:FTP

[TheRaven64]

For simple file drops, why not use HTTP PUT requests? They can be handled by any web server, and the server can handle encryption and client authentication (via passwords or certificates) out of the box for you.

For more complex use, why not use WebDAV? Pretty much any mainstream OS (including Windows, since Windows 98) has support built in. It includes fine-grained access controls, authentication, encryption, and works everywhere. Because it's an extension of HTTP, you can easily export a WebDAV share as simple web page if you want to give people read-only access.

Re:FTP

[ffreeloader]

I'd say your thinking is pretty much bass ackwards.

It's company policy, not IT policy, that keeps most organizations dependent on IE6. This stems from the company not wanting to spend the money to rewrite the apps, not IT insisting that they continue using IE6. What geek/IT guy do you know that insists on using IE6 at home, or anywhere else? Every IT guy I know likes using modern software.

Re:FTP

[nschubach]

The process I explained isn't for distributing apps though... I'm collecting results from each workstation (usually multiple results.) The workstation upload files to an FTP server which I download to process.

Re:FTP

[mcgrew]

They're not getting the shitty experience, I am. they couldn't care less.

Re:FTP

[Coeurderoy]

Nope,
The company does not have an IE6 policy, it has a policy of "buying an intranet" with the support of the IT team.
And then some shiny consulting firm suggest some expensive software to handle the watchalicallits
and develop some addon software that only work with the "core software"...
Meanwhile the IT team, or more preciselly it's PHB is enjoying information gathering trips, power lunches and conference invitations to learn how right s/he was to buy this software...

And then the company policy just make sure that anybody that complain or points out that there are alternatives is silenced.

The CEO couldn't care less if the staff is using IE6 or lynx, he just listen to the IT director then cuts a big check and finaly does not want to hear about this ever again.

And since he typically never uses the companies platform (except for some emails, preferably sent from his blackburry) s/he never sees anything wrong with the infrastructure.

Moreover if you are living in a company that has this policy it does not matter if it is the CEO CFO or CIO that is responsible, the best advice is "run as fast as you can it is not worth it..."

Re:FTP

[ffreeloader]

So, you admit it's a PHB making the decision based on a sales pitch from an outside vendor, but insist it's the fault of the IT team. I find your logic less than persuasive. Since when did a PHB ever listen to the employees under him? Isn't that impossible by the definition of a PHB?

Re:FTP

[StuartHankins]

Works the same way, only the permissions are different (it's a read/write rsync share not a read-only). Unlike FTP, rsync can either pull or push data.

You don't even have to install software on the client, just put the rsync.exe on your \\logonserver\netligon folder and make it world-executable. Configure a server with the rsync server end of it. It's only a couple of minutes to setup the server.

Re:FTP

[MichaelSmith]

Many architectural practices use FTP for exchanging files but I reckon if you just gave them scp and said this is the new way of doing ftp they would be satisfied. It does Transfer Files of course.

Re:FTP

What? I have two systems that can SFTP to each other at 40Mb/sec (5MB/sec) and they are connected to each other by a 2 foot gigE cable.

Re:FTP

[Coeurderoy]

The PHB is part of the IT team, and the IT team is either:
- accepting stupid decision while knowing it is bad for the company
- being stupid because the only know a couple of "pre packaged clickomatic junk"

in both case they are "guilty as charged" ...

Re:FTP

How about using secure FTP? People are used to secure HTTP and they might not even notice the diference.
      HTTP : HTTPS :: FTP : FTPS

Re:FTP

[ffreeloader]

Really??? Go read Dilbert as he is the one that defined a PHB.

Once you've done that tell me how often you reverse the decisions your boss makes. You know, walk up to him and tell him how he's wrong and how nobody is going to follow his directions. If you tell me you actually do that, and not get fired, I'll know you're a liar.

Re:FTP

[Coeurderoy]

No I leave the company, that is the point...

Actually I use the dilbert test, when I feel that Dilbert is about "me" I leave..

Re:FTP

[BitterOak]

People still use Joomla?

Along with Drupal and Wordpress, Joomla is one of the big three open source CMS solutions out there. As far as I know, it is very current software, and highly regarded.

Re:FTP

That's very strange... machines of quite a few years ago could saturate 100 Mb/s (about 12 MB/s) ethernet with SSH encryption. Modern machines should be able to get into the 300-400 Mb/s range without too much trouble. Where encryption struggles is to get wirespeed on gigabit networks. There is either something wrong with your 2 foot cable, your gigabit NICs, or your disk subsystems.

In the wide area for normal people, encryption has no performance impact. Rather, TCP backoff due to congestion has a big impact. Going parallel with lots of TCP sockets (like bittorrent does) will help a lot, by not backing off as much in the aggregate. A better protocol than FTP also helps, by allowing small files to be pipelined without round-trip synchronization delays. Running rsync or tar over ssh is much faster than plain FTP in the wide area for this reason, when transferring lots of smaller files.

Re:FTP

[Rhaban]

There are two big open source cms: drupal and ezpublish.

worpress is a blog engine, not a cms (even if it has some cms features and is extensible)

joomla is certainly the worst available cms, but is widely used because it is easy to start with even without any knowledge. And this is maybe its only strong point.

security in joomla is a joke, and with joomla and a ftp on a same server I wouldn't worry about the ftp.

Re:FTP

I feel your pain because I've had the exact same problem. It doesn't really matter how hard you try to explain that plain-text passwords over the wire is a really BAD idea. The wierdest part is that WinSCP behaves exactly like any other FTP client - but nooooo, it has to be FTP for some frikkin' reason.

dammit.

Yo, Dawg, I heard you like backdoors

[Even+on+Slashdot+FOE]

So I put a backdoor in your backdoor so you can be compromised while you're being compromised.

Anyone checking these source file changes?

[digitaldc]

Isn't there some type of review process for all changes? Or can you just go in and change things willy-nilly?

Maybe they need some more code oversight, just my opinion.

Re:Anyone checking these source file changes?

[Sockatume]

I've often wondered why there isn't a standard hash check built into browsers. If you store the hash and the file on different servers (cooperatively) then you greatly reduce the risk of this sort of attack. That said I suspect that the benefit is probably a lot smaller than the difficulty in establishing such a system.

Re:Anyone checking these source file changes?

[markkezner]

I guess the question is how exactly did the CVS repository get compromised? I imagine there's only a set number of people with commit access, and no one who works on it would willingly compromise it.

Re:Anyone checking these source file changes?

[fuzzyfuzzyfungus]

I suspect that the real problem would be chicken-and-egg adoption issues. Anybody with competence in the right area could probably bang out a functioning prototype firefox plugin addressing either the cases of SSLed sites also being expected sign their binaries with their existing SSL setup, or the FOSSier case of developers signing with their GPG keys and posting MD5 hashes in approximately an afternoon.

Trouble is, unless broadly and swiftly adopted, people won't see the "this package is not cryptographically verified" message as being problematic in the slightest, if that is the case, the attacker can simply not sign, and nobody will care(the current situation on Windows, which offers cryptographic verification of installers before install is largely this way. Enough outfits, even fairly respectable ones, just don't bother, that the security gains are minimal, despite the mechanism being technically and mathematically sound). If you make the message scarier and/or harder to get around, people will just go with something that doesn't get in their way. Only if lack of signature was considered a shocking fault would anybody really be saved...

Architecturally and mathematically, the solution works just fine; but it fails on the critical adoption mass problem...

Re:Anyone checking these source file changes?

[jones_supa]

Cool idea.

Re:Anyone checking these source file changes?

[hedwards]

And previous to recent changes people didn't see a problem with a lack of that color deal in the URL bar of their browser showing that the cite was being access via SSL either. The way you handle that is education, and things like that which are simple are more likely to be used. The real problem with that is if an attacker manages to screw with the hash function to support an exception for certain files.

Re:Anyone checking these source file changes?

[jellomizer]

Open Source doesn't have a peer review process. Some projects might not not Open Source.

Only enough technically there isn't much difference between closed and open source software. They will still get security issues, bugs, and other problems.

Perhaps it is because GNU and other FOSS are distribution license not a technical guide or operational guidelines. I can produce crap and put it under whatever license I want and it will still be crap.

Now there will be the argument if I make crap and make it Open Source then someone else can see if an make it better. However it was crap then they would make their own or just not bother with your product. As if it was closed source no one would buy it.

Now if it was a good product (and got enough attention) other developers will flock to add stuff to it and make it better if it was open source. If it was closed source your product will sell you will make money and hire more developers to add to it so you can sell more or new versions.

Good or Bad software isn't from the license. It is from design of the system, the quality of the coding, how well it fixes a problem... The issue with the license is more about legal, funding, business model, personal beliefs etc...

Re:Anyone checking these source file changes?

[kestasjk]

That and you need to pay a fair chunk of change to get your app signed. (Though it's hard to see a reasonable way around this)

Re:Anyone checking these source file changes?

[kestasjk]

To be fair ProFTPD may or may not be crap; I remember back in the day it was pretty good. I do know it's a bit silly to use the same software as you use to distribute your own software, for this very reason (it's why the OpenBSD guys use Solaris).

Re:Anyone checking these source file changes?

[Pharmboy]

(it's why the OpenBSD guys use Solaris).

Is that that why Microsoft ran Hotmail on Linux for so many years? ;)

Re:Anyone checking these source file changes?

[arndawg]

Hotmail ran on Solaris and FreeBSD, not linux.

Re:Anyone checking these source file changes?

[Nerdfest]

However it was crap then they would make their own or just not bother with your product.

The test for code quality is not usually boolean. If someone has put work into something, and they have a lot of the basics in, or they've got a lot of the complex logic in place, but have a bad UI, then something is worth building on or improving. Yes, occasionally you run into code where the quality is so low it's not worth using, but most of the time you can use some of the work that was done.

Re:Anyone checking these source file changes?

[fuzzyfuzzyfungus]

As with SSL, you run against the fundamental problem of mechanisms that attempt to both verify and identify...

It costs money to identify people/corporate entities, make sure they are who they say they are, etc. Therefore, nobody is going to issue a cryptographically incontrovertible statement about who you are for free. However, there are lots of people who really just want the crypto, not the ID, which means that(in absence of some sort of strong central control, like a state or Microsoft) you'll see strong downmarket pressures, to the point where my nonexistent cat could probably find some 'trusted' CA who would be happy to issue it a certificate for bankofamerica.ru... Then somebody dreams up "Extended Validation: what certs were always supposed to be; but for real this time, we promise!". And so begins the cycle again...

The only vaguely novel quasi-solution I can see to this problem would be the concept of "stability attestation". There would be a number of servers(similar to DNS) that would operate as follows: I generate a keypair and an object(domain name, email address, etc.) that I wish to stabilize. I send that tuple to one or several "stability attestation servers". The server says "Ok, fuzzyfuzzyfungus, if that is in fact your public key, pass this challenge-response test.". If I do, the server generates a signed manifest stating that the tuple {fuzzyfuzzyfungus/slashdot account, $Public_Key} passed verification at $TIME.

At any future point, anyone can query an SAS, with my tuple and receive either "Verified at $TIME" or "Yeah, not so much, a tuple containing the same object; but a different public key, verified at $TIME. Impersonation suspected."

This would be useful in situations where you want the ability to do crypto with someone, as with SSL or PGP; but knowing somebody's real name/SSN/whatever either won't help you much, or is not something they want.

In my case, for example, knowing my real name wouldn't help you much in determining whether "fuzzyfuzzyfungus" is full of shit or actually a pretty insightful guy. My bio is just pretty bland, and I have no real desire to tie it to slashdot. However, knowing that I'm the same "fuzzyfuzzyfungus" as the one who posted my last N messages allows you to judge me by my record, and would allow you to reset your trust metrics if I suddenly changed.

The same is true of most websites, FOSS authors, small companies, and so forth. Knowing "Who they are in real life" barely matters. Knowing that their server got hacked yesterday and that I SHOULD NOT extend my historical trust metrics on them into the present is highly valuable...

Re:Anyone checking these source file changes?

[Bill,+Shooter+of+Bul]

No, it ran on FreeBSD. And it ran that way when they bought it. Converting it to run on Win NT 4 took some time and many more boxes. They couldn't get it to run on win NT reliably enough until win 2000 was released.

Re:Anyone checking these source file changes?

[SigmundFloyd]

it's why the OpenBSD guys use Solaris

False. As they explained clearly in the FAQ, they used to run Apache on Solaris simply because the hosting company who donated server space and bandwidth was Sun-based. Now they run their web servers on OpenBSD, though, and have been for a while.

Re:Anyone checking these source file changes?

[thePowerOfGrayskull]

They never are on separate servers though, or very rarely - so naturally if someone can upload a compromised source tar, they can also upload the appropriate checksum.

Re:Anyone checking these source file changes?

[daid303]

Login as root, edit the CVS files directly. Not that hard really. With a bit of trickery you can even make it look like a legit commit, or something that has always been there.

Re:Anyone checking these source file changes?

RTFA. It didn't.

Should have used vsftpd

[sparkz]

Oh, the irony

Re:Should have used vsftpd

[carlhaagen]

Well... VSFTPd has had its share of problems, too, y'know. Speaking of... it's actually currently suffering from an exploitable "feature" (as the author insists on calling it) that allows attackers to very rapidly and without restraint mine legit usernames from the host running VSFTPd. I reported this, along with patch, in 2007. Hole not plugged yet - 'coz it's a "feature".

Re:Should have used vsftpd

Link?

Re:Should have used vsftpd

[SigmundFloyd]

Well... VSFTPd has had its share of problems, too, y'know. Speaking of... it's actually currently suffering from an exploitable "feature" (as the author insists on calling it) that allows attackers to very rapidly and without restraint mine legit usernames from the host running VSFTPd.

Not much use to an attacker, without the passwords. By your logic, you could deem it a security risk that on any Unix system the super-user is always called "root".

Re:Should have used vsftpd

[SanityInAnarchy]

Actually, that is a security risk, currently mitigated on modern systems by not giving the root account a password, and only allowing root access through tools like sudo -- so in order to root a system, first you need to figure out which account is mine, only then can you break it.

Re:Should have used vsftpd

[quinto2000]

Pretty real security risk--first thing any good sysadmin does is disable remote access to known account names like "root" and "administrator"--you greatly reduce your attack surface by doing so. Take a look at ssh access logs and see how many denied attempts there were for "root".

Re:Should have used vsftpd

or pureftpd.

Re:Should have used vsftpd

[SigmundFloyd]

Wrong... Answer this: which is more secure?

1) unknown 4-letter username + unknown 12 letter password

2) known 4-letter username + unknown 16 character password

#2 is more secure, since passwords can contain symbols... The strength must be in your password! Keep it long and hard to guess, and the fact that your username is known will be irrelevant.

Note that usernames are echoed during interactive login, while passwords aren't. That should tell you something.

Re:Should have used vsftpd

Can you please post this patch somewhere? We could get it into ports on FreeBSD....

Re:Should have used vsftpd

Well... VSFTPd has had its share of problems, too, y'know. Speaking of... it's actually currently suffering from an exploitable "feature" (as the author insists on calling it) that allows attackers to very rapidly and without restraint mine legit usernames from the host running VSFTPd. I reported this, along with patch, in 2007. Hole not plugged yet - 'coz it's a "feature".

Could you be more specific? The only thing remotely resembling what you're describing that I know of is that vsftpd used to respond differently to a good username/bad password combo than a bad username/password combo, thus revealing which usernames were valid. It did this because this vulnerability is part of the FTP specification--in order to fix this, you needed to violate the spec. vsftpd fixed this issue many years ago because they decided the spec was stupid and not worth following in this instance (i.e. it now requests a password for usernames that don't exist). Not sure about other FTP servers.

I follow vsftpd development very closely and know of no known/unaddressed weaknesses.

Re:Should have used vsftpd

[TheRaven64]

By your logic, you could deem it a security risk that on any Unix system the super-user is always called "root".

The UNIX super user is not always called root, and it's actually quite good practice to change it. It can have any name, it just has to have UID 0. On FreeBSD systems, there are (by default), two login names with UID 0: root and toor. It is fairly common to set the shell for the toor user to the administrator's favourite shell, so that it can be used more conveniently, while the root shell is always something in /bin so it can be used when /usr/local is not mounted.

Most systems disable remote root login by default, and it's quite often disabled for local login too (unless you first log in as another user and then su / sudo).

Re:Should have used vsftpd

[Freultwah]

Yeah, I wonder why an anonymous poster is the only one to mention Pure-FTPd. I use it everywhere I need to serve files to the outside world (print shops and designers exchange a lot of files and FTP is quite common in those industries) and I would recommend it any day. Easy to set up, multiple ways to authenticate (LDAP, PAM, SQL, you name it), chrooting, ability to use TLS for both authentication and file transfer (separately configurable) etc etc. Cool stuff.

Re:Should have used vsftpd

[timbo234]

Mod parent up. Unless the GP can provide the link of the bug report where it's not been acknowledged or fixed I'd say this has been called out.

Re:Should have used vsftpd

[WraithCube]

Wrong... Answer this: which is more secure?

1) unknown 4-letter username + unknown 12 letter password

2) known 4-letter username + unknown 16 character password

Isn't this more a case of:

1) unknown 4-letter username + unknown 16 character password

2) known 4-letter username + unknown 16 character password

There's no reason why you should make the password on an unknown username less secure and no reason to leave a username like root or administrator for the botnets to take cracks at.

Re:Should have used vsftpd

[SigmundFloyd]

It's not about making the password on an unknown username less secure, it's about making the password so secure that the publicity of the username is irrelevant.

True security is implemented with a strong password and a maximum allowed number of attempts per IP (see the 'denyhosts' program).

Re:Should have used vsftpd

Most servers under my control:
- Do not allow remote root logins (Some not even locally)
- Do not allow any remote logins from untrusted addresses (Those are blocked earlier, by the redundant firewalls)
- Block remote addresses after three failed attempts, for a set amount of time per ip+username combination
- Enforce a strong password policy
- Do NOT force password changes solely based on time (I loathe that particular practice)
- Receive security updates promptly as needed

Based on scheduled and recurring analysis and integrity checks, online as well as offline, the above servers have never been broken into or otherwise compromised during their lifetimes. This has worked well for 10 years now.

Re:Should have used vsftpd

[quinto2000]

You're saying it's possible to secure a known username. Who cares? Suppose 90% of attacks are on those known usernames (I don't have actual figures, but that seems plausible, based on my own experience with publicly accessible Linux machines). Just eliminate 90% of the attacks (and the chance of brute force breaking through) by eliminating those known accounts from remote login.

Why wouldn't you do this? You can still secure the rest of your accounts. Hackers, botnets and script kiddies go after the low-hanging fruit. Reduce your attack surface, and you are clearly better off. There's almost no hassle to having to su to root once you log in with a normal user account.

By the way--logging in to a console in public is completely different from remote root access. If someone can see over your shoulder--there are lots of other ways for them to engineer an attack. But we all have to be aware of the greater risk of unknown users on the Internet just scanning IP ranges and trying to login. If you've ever had a public web server, you will see that this happens to every machine. Much more common than someone we know trying to crack into our box.

Quite.

[Spad]

To confirm their integrity, they are advised to verify the MD5 sums and PGP signatures of the downloaded files and compare them to that of the legitimate source tarballs.

Because the people who compromised your server and uploaded a trojaned version of your software would *never* think to upload their own MD5 sums and PGP signatures to match...

Re:Quite.

[bigjocker]

You should always host the MD5 or SHA hashes offsite.

Re:Quite.

[nedlohs]

Because generating PGP signatures without the private key is so trivial.

Re:Quite.

I guess that they already replaced the compromised files, so the current keys are valid.

  Alternatively you can download the source again, configure/change it again, compile it again and install it again, to replace your current version, which might not be affected.

Re:Quite.

[profplump]

Yes. Offsite at a necessarily public URL on a system that, for administrative ease, is configured identically. That will definately be worth the effort.

And if it's not identically configured you're looking at a lot of extra expense to provide platform diversity for a file that A) most users (particularly those interested in downloading an FTP server) will never use and B) still doesn't provide any reliable guarantee that the hash wasn't regenerated as part of the attack.

Cryptographic signatures from keys not available on the distribution server would be useful. Hashes are better than nothing, but they're much better at protecting against random download errors than a knowledgable attacker.

Re:Quite.

[T.E.D.]

If you already have a working FTP server and are just looking to take the latest update, wouldn't it be more sensible to just do a source diff before you compile? Not only would that show you the trojan almost instantly, but it would also show you if there are any other changes to important bits of functionality that might cause you trouble. The latter seems far more likely.

Dumb comment.

And how, exactly, would the attackers sign the distribution files with the same private key the project uses?

Re:Dumb comment.

How do you know what their public key is?

Re:Dumb comment.

And how, exactly, do you verify the key used to sign the distribution files?

Re:Dumb comment.

And how, exactly, did you get so fucking stupid, you fucking stupid asshole?

Re:Dumb comment.

And how, exactly, would the attackers sign the distribution files with the same private key the project uses?

Assuming it wasn't stored on the same server that they rooted.

Re:Dumb comment.

[piranha(jpl)]

You downloaded the software at their last two releases, and have kept that same public key in your keyring each time. Or your friends or colleagues can vouch for having trusted a particular public key in the past. Either way, you keep notes documenting the fingerprint of the identity which signs every release.

Re:Dumb comment.

[SheeEttin]

Steal it, because it's hosted on the same server?
Okay, it probably isn't, in this case, but the weakest link is always the one made of meat.
(I mean seriously, have you ever tried making a chain of meat? I got bacon to hold a few pounds once, but then I gave in and ate it. :()

Re:Dumb comment.

Would you really notice if it was a valid signature with a different key? If you sign public keys you might, but how many people do that?

Recursion fail?

[IDK]

If they use ProFTPD for hosting the code too, why wouldn't the Hackers just use that same exploit on that? Why do they need to insert another way in?

Re:Recursion fail?

[bigpresh]

If they use ProFTPD for hosting the code too, why wouldn't the Hackers just use that same exploit on that? Why do they need to insert another way in?

I suspect whatever vulnerability was used allowed the attackers to upload files, but didn't give them actual control over the machine; their backdoored version, as stated in the article, allowed attackers to gain root on the box.

Re:Recursion fail?

[deek]

The vulnerability could have been this bug:

http://bugs.proftpd.org/show_bug.cgi?id=3521

This bug would have allowed them full access to the machine, assuming the daemon ran as root. I certainly had a few Plesk machines that were compromised by this bug. It's a pain clearing out rootkits from the system, I can tell you.

The bug was patched a month ago, so their server could have been exploited for that long, with crackers setting up backdoors into the system to regain root access. Just a hypothesis.

Only ProFTPd?

[ThePhilips]

Is this news?

Over the years not once I was going through bunch of ftpd picking one to install on my Linux box, all of them, ProFTPd included, had a ... front door wide open: anonyms had pretty much unlimited read access to everything.

And obviously all of the ftpds were refusing auth users by default. On the few occasions I need the FTP for my LAN server (mostly for Windows clients) it was such a royal pain to setup properly ... while welcoming all anonyms from everywhere to copy all the stuff all they want.

Re:Only ProFTPd?

[drinkypoo]

Over the years not once I was going through bunch of ftpd picking one to install on my Linux box, all of them, ProFTPd included, had a ... front door wide open: anonyms had pretty much unlimited read access to everything.

Everything inside the chroot'd home, sure. If you were giving anonyms read access to the root, you were doing it wrong.

Re:Only ProFTPd?

[ThePhilips]

If you were giving anonyms read access to the root [...]

I wasn't - that was default setup of pretty much all fptds I have seen in RH and Debian.

Re:Only ProFTPd?

[Hatta]

If you have files that you don't want the world to see, why are they world readable? Properly set your UNIX permissions and the settings of the FTP server don't matter.

Re:Only ProFTPd?

[drinkypoo]

You have to take responsibility for the actions of your contractors. Some of us like to vet config files and don't trust anyone who is not us.

Re:Only ProFTPd?

ProFTPd, while great when it came out in the early 2000s and had many features, was always plagued with security issues, and many places I worked at stopped used it even though it was relatively easy to setup and was feature rich.

vsftpd was at one point the most secure ftpd I could find. Not sure how good it is anymore.

If you need a simple Windows FTPd on a small LAN for quick file transfers check out ftpdmin which is really minimal (free and source available!). I use it all the time for quick ISO transfers on my personal LAN. Does the job. Much better than HTTP transfers, that's for sure.

Re:Only ProFTPd?

[kestasjk]

And those of you are a waste of your company's time.

Re:Only ProFTPd?

[surgen]

I wasn't - that was default setup of pretty much all fptds I have seen in RH and Debian.

Default configuration found inadequate. Film at 11.

Re:Only ProFTPd?

Sounds like someone's a contractor.

Re:Only ProFTPd?

[19thNervousBreakdown]

vsftpd has always been excellent for me--you can limit the anonymous user in a number of ways, and by default it's extremely locked down (may not even be enabled at all, can't remember, but if it's disabled, even when you enable it it's still very locked down).

Re:Only ProFTPd?

[Alioth]

FTP ought to be deprecated already (and years ago). sftp/scp has been much better for authenticated users, and has existed for a while now, and has things like chrooted sftp/scp only implementations if you need to keep users separated. It has clients available on pretty much all operating systems. HTTP is better for anonymous users. FTP with the requirement for two connections to be opened (one on a random port) adds complexity to firewalls.

Re:Only ProFTPd?

[SigmundFloyd]

+1 on vsftpd: its config file is so well commented that it's almost a tutorial on FTP administration. Top notch work, both on the server itself and the documentation.

Re:Only ProFTPd?

Because getting hacked due to your complete stupidity is definitely a wise time investment. Retard.

Re:Only ProFTPd?

[KiloByte]

And how exactly are you supposed to authenticate users on FTP? The protocol, barring incompatible extensions, doesn't allow for anything but plain text. It should be never used except for tightly controlled environments and if you have it tightly controlled, why won't you use something sane and secure?

With non-anonymous FTP being a bad idea, having anonymous access as the default makes sense.

Re:Only ProFTPd?

[drinkypoo]

On the contrary, no company for which I have been the admin has ever had important resources taken over (there's always windows infections to deal with... I got a trivial PC owned here at home through two firewalls and was only browsing with firefox with noscript at the time.) There was that one time Media X was used as an FTP drop, but that's because the dipshit managing business hired his idiot friend to work there, and that guy decided he was smarter than I was and would do my job for me. He set up an FTP server for some account on an NT machine and you know the rest. The asshole who helped the money man run that company into the ground naturally traipsed off into another good job, because that's how it works.

You must do your due diligence or you will be taken over. If you don't understand this, you are probably already own3d.

Re:Only ProFTPd?

And how exactly are you supposed to authenticate users on FTP? The protocol, barring incompatible extensions, doesn't allow for anything but plain text.

You can do it the same way HTTP does: use an SSL/TLS tunnel.
    HTTP : HTTPS :: FTP : FTPS

There's a backdoor in my backdoor.

[eyeball]

R E C U R S I O N

Re:There's a backdoor in my backdoor.

[miffo.swe]

Damn, i was just about to write that. XD

Funny as hell!

Another dumb comment.

The attackers changed the distribution files. These would be past the review process. Commits to the SCM would have been highly visible. Avoid criticizing what you clearly do not understand.

Funny

[Masterofpsi]

Funny, I was just trying to install ProFTP on Debian stable yesterday. Couldn't get it to work at all.

Re:Funny

I don't understand. How is that funny?

not on Debian stable

[orange47]

thankfully that fancy new version will be available from official repository for Debian stable in about 100 years or so..

Re:not on Debian stable

thankfully that fancy new version will be available from official repository for Debian stable in about 100 years or so..

That newfangled FTP protocol is still pretty new to the Debian Stable folks.

Implement better IDS

[bl8n8r]

Anyone with an internet facing anything should be doing (better) intrusion detection. It doesn't need to be expensive and doesn't need to be fancy.  I ran an ftp box for over 10 years and we had some simple, automated processes to detect attacks.  The box took a lot of flack but never got cracked and we could prove it.  You know your security is working when you can *prove* it's working.  "Set-and-forget" isn't a secure option.

1) (md5|sha1)sum everything on the box. (eg: find / -exec md5sum '{}' \; > /tmp/md5.txt )
Save it on your internal lan. Nightly, allow a box from your lan to ssh into the server to re-create the list and compare them. It will be a short list because you've certainly removed all unnecessary software from the box.  This will tell you what files have changed,rooted,trojaned.  For extra security burn the binaries on a cdrom and stick it on the server.  create the list using r/o binaries in case they themselves get hacked. (eg: ssh server '/mnt/cdrom/find / -exec /mnt/cdrom/md5sum ...')

2) scan messages logs hourly from cron
Look for attacks (eg: Invalid login from alicia, .. from alex, .. from albert, etc). Usually, people don't make one connection and crack your server.  It takes some probing and guesswork first and I've seen dictionary attacks last for an entire week before the attacker gives up. This is where you should be catching the attack - at the probe stage.  (eg: fgrep 'session opened for user' /var/log/auth.log)

3) watch your firewall logs
connection attempts for services you do not host on the box are cause for notice. Repeated connections for port 22, on a server you do not host ssh on, should be prime candidates for the bitbucket on the firewall. (eg: iptables -A INPUT -p tcp --dport 22 -m limit --limit 4/min --limit-burst 4 -j LOG --log-prefix "SSH_INGRESS: ")

   

Re:Implement better IDS

[icebraining]

If the attacker knows about the command being run through SSH, I can think of plenty of ways to attack it.
* modify bash to "alias" the command to a simple "cp valid_hashes /tmp/md5.txt"
* umount /mnt/cdrom and put trojaned files in that directory
* use inotify to replace /tmp/md5.txt with a valid copy when the find/md5 process stops writing in it
* mount /tmp as a FUSE fs, ignore writes to /tmp/md5.txt and always return a valid answer to reads

I'm sure there are more, but this was what came up to my head in a few minutes.

2 and 3 are probably better and enough to catch them, though, unless they use social engineering to get the username/password of a valid user.

Re:Implement better IDS

[Vario]

All your ways of attacking the mention IDS scheme from the parent can work, given the right circumstances. Basically what it comes down to is that if the attacker gained access successfully and is in control of the targeted machine it can always send out messages, as if it was not infected. At this point it is too late trying to detect anything. With a challenge-response scheme you might be able to ask for the exact contents of /usr/bin/md5 but you will never be able to tell whether there is also a /usr/bin/md5_modified on the server which is hidden and only used at some point.

Two alternatives might be possible to still have a relatively easy to manage and save IDS: You can boot from a r/o media every night and use this system to do the file integrity check (hard to automate a single boot from cd) or you could send a large number of log statements about logins, running processes, firewall logs to a different machine where any unusual events trigger an notice to check the system by hand.

Compromised code in distros?

[Urban+Garlic]

So how long was this in upstream, and which distros have packaged up the broken one?

Debian's got 1.3.1 in stable, and 1.3.3 in squeeze, so the latter might be built from the compromised one.

Others?

Wait, what was the hole again?

[jonaskoelker]

resulted in attackers exchanging the offered source files for ProFTPD 1.3.3c with a version containing a backdoor. It is thought that the attackers took advantage of an unpatched security flaw in the FTP daemon in order to gain access to the server.

So instead of downloading an FTP server with a security hole, you could download one with... a security hole.

Re:Wait, what was the hole again?

[rg3]

No, with two security holes. :)

Phew!

[Durzel]

On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor.

I'm glad they found the backdoor before someone backdoored my up-to-date ProFTPd 1.3.3c server to install it.

Security is for losers.

Yeah, it's OK to use plain-text password transports on a network that you think is secure, even though there are freely available secure transports that are drop-in replacements, and even though any network that has more than one computer on it is potentially insecure and should always be treated as insecure for data transport purposes.

It's also OK to leave your keys in your car every night if you trust your neighbors, and it's OK to let your daughter dance nude in clubs as long as everyone in the club is a police officer.

Please explain...

Why is it relevant whether you use your own software to distribute itself? Why am I any less vulnerable when I use someone else's potentially buggy software instead of my own (when they're both open source projects, so there's no security through obscurity argument)?

Or do you just mean it's a bad idea to use unstable development software on production servers? Obviously, I'd want to use a stable, QA approved release for the server, and not -r head trunk.

Anyone knows what was the nature of the flaw?

[master_p]

Was it a buffer overflow?

The unfortunate case

Annoyingly. Yes they do still use FTP. Its mostly clueless users who continue to use antiquated software and yell loudly when you turn FTP off. I'm a sysadmin at a hosting company and we've been trying to turn off FTP officially for 6 years now. Almost every new server that we bring up we leave FTP off for as long as we can, but eventually users start threatening to cancel instead of migrate to newer or different software on their end. For instance, some people use website creation software that doesn't support SSH, like old versions of Dreamweaver.

I was really mad when WinSCP added FTP support because that just adds fuel to the fire. Plus there are people out there who want to do things like have sub accounts, which SSH has no way of doing AFAIK.

Need more information

Looks like the code was from ACIDBITCHEZ.. which is a pretty well known group.
Interesting that it had a hard coded IP from Saudi Arabia in it. http://www.exploit-db.com/exploits/15662/

What bothers me about this is the assumption that proftpd has a remote root bug. I would guess that
a local account was compromised and then a local root exploit was used to gain control before saying
proftpd was buggy.

Why? Because ACIDBITCHEZ would never show their hand like this if they had something juicy bug wise
that could own the newest release of proftpd as well as go back in time on older releases. This was something
they did for kicks with the access they had.

Give me anything, just make it quick!

[Zero__Kelvin]

There is nothing I want to download quickly more than a hacked file that isn't the one I was expecting!

You got that Bass Ackwards son

[Zero__Kelvin]

"It's OK to let your daughter dance nude in clubs as long as nobody in the club is a police officer."

She's not going to get raped in the club, but her safety after they cuff her and take her away isn't guaranteed by any means. It could be a bad apple on the force. It could be here new "girlfriend." No matter how you slice it, being in the custody of the police is not even remotely safe (excuse the pun.)

Can anyone tell me who uses FTP anymore?

[rsborg]

I suppose for public sites serving very large files, it may make some sense, but for even internal use, we never use FTP, as HTTP transport can easily be secured via SSL, and it's easier to secure the single httpd server and port rather than having two services running.

Is the bandwidth savings really worth the extra security risk?

Wait, what?

[Arancaytar]

They used a security flaw that already existed in the FTP daemon to surreptitiously introduce a backdoor into the FTP daemon's source, evidently hoping it would be propagated? Why not just use the security flaw to attack whatever site they wanted to hit directly?

Software distributors are single points of failur

[niftyzero]

The current software distribution model has several failure modes. A different model is needed with multiple package signers. I wrote an article about it. Here are some of the possible compromises, from most serious to least serious:

• Build host - the machines that compile the source into binary packages are compromised. In this scenario, code can be injected by the malicious party into the package just before it is signed and prepared for distribution. All clients that install the updated packages are affected. A software audit cannot identify the altered packages because the alteration happens after binaries are generated.
• Distribution host and Signing key - the machines that host the packages for distribution (web servers) are compromised and the package signing key is compromised. The effect of this is the same as a build host compromise.
• Source repository - the machines that host the software source-code are compromised. This allows code to be injected and all clients are affected. However, a software audit can uncover the injected code.
• Insider threats - an insider can insert non-obvious security holes into software they are responsible for.
• Signing key - the key used to sign the software distribution is compromised. This would allow the malicious party to compromise only specific targeted clients through a "man-in-the-middle" attack and DNS poisoning