Slashdot Mirror

← Back to Stories (view on slashdot.org)

ProFTPD.org Compromised, Backdoor Distributed

Posted by CmdrTaco on from the scary-world-we-live-in dept.

Orome1 writes "A warning has been issued by the developers of ProFTPD, the popular FTP server software, about a compromise of the main distribution server of the software project that resulted in attackers exchanging the offered source files for ProFTPD 1.3.3c with a version containing a backdoor. It is thought that the attackers took advantage of an unpatched security flaw in the FTP daemon in order to gain access to the server."

6 of 152 comments (clear)

  1. Should have used vsftpd by sparkz · · Score: 4, Funny

    Oh, the irony

    --
    Author, Shell Scripting : Expert Re
  2. Quite. by Spad · · Score: 4, Insightful

    To confirm their integrity, they are advised to verify the MD5 sums and PGP signatures of the downloaded files and compare them to that of the legitimate source tarballs.

    Because the people who compromised your server and uploaded a trojaned version of your software would *never* think to upload their own MD5 sums and PGP signatures to match...

  3. Re:FTP by Rhaban · · Score: 4, Funny

    People still use Joomla?

  4. Dumb comment. by Anonymous Coward · · Score: 5, Informative

    And how, exactly, would the attackers sign the distribution files with the same private key the project uses?

  5. Wait, what was the hole again? by jonaskoelker · · Score: 4, Funny

    resulted in attackers exchanging the offered source files for ProFTPD 1.3.3c with a version containing a backdoor. It is thought that the attackers took advantage of an unpatched security flaw in the FTP daemon in order to gain access to the server.

    So instead of downloading an FTP server with a security hole, you could download one with... a security hole.

  6. Re:FTP by jimicus · · Score: 4, Interesting

    I have been asked on a number of occasions to set up an FTP server.

    You would not believe the trouble I have had suggesting SSH/SCP - even from people who develop on Unix and use SSH to log in all day long. I've tried providing a web interface, I've tried providing a link to WinSCP, I've tried pre-installing WinSCP on the person's PC before it even goes on their desk.

    In almost every case, it was pretty damn obvious that the person asking for an FTP server had already decided that they were going to have an FTP server, and would not even discuss the idea that there might be alternatives.