Loading ...
Sorry, an error occurred while loading the content.

Re: [OT] Proftpd trojaned source download

Expand Messages
  • Voytek Eymont
    ... Andreas, ... Subject: [ProFTPD-announce] ProFTPD ftp.proftpd.org compromise From: TJ Saunders Date: Thu, December 2, 2010 10:43
    Message 1 of 19 , Dec 2, 2010
    • 0 Attachment
      On Thu, December 2, 2010 7:20 am, lst_hoe02@... wrote:

      > They have corrected it, the "infected" source for download is
      > replaced, but no warning at all for the ones who already downloaded and now
      > using the trojaned version...
      >
      > Not very encouraging to use Proftpd.

      Andreas,

      fwiw, I got this email today:

      ---------------------------- Original Message ----------------------------
      Subject: [ProFTPD-announce] ProFTPD ftp.proftpd.org compromise
      From: "TJ Saunders" <tj@...>
      Date: Thu, December 2, 2010 10:43 am
      To: proftp-announce@...
      Cc: proftp-devel@...
      proftp-user@...
      --------------------------------------------------------------------------

      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      ProFTPD Compromise Report

      On Sunday, the 28th of November 2010 around 20:00 UTC the main
      distribution server of the ProFTPD project was compromised. The
      attackers most likely used an unpatched security issue in the FTP daemon
      to gain access to the server and used their privileges to replace the
      source files for ProFTPD 1.3.3c with a version which contained a backdoor.
      The unauthorized modification of the source code was noticed by
      Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on
      Wednesday, December 1 and fixed shortly afterwards.

      The fact that the server acted as the main FTP site for the ProFTPD
      project (ftp.proftpd.org) as well as the rsync distribution server
      (rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who
      downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28
      to 2010-12-02 will most likely be affected by the problem.

      The backdoor introduced by the attackers allows unauthenticated users
      remote root access to systems which run the maliciously modified version
      of the ProFTPD daemon.

      Users are strongly advised to check systems running the affected code for
      security compromises and compile/run a known good version of the code.
      To verify the integrity of the source files, use the GPG signatures
      available on the FTP servers as well on the ProFTPD homepage at:

      http://www.proftpd.org/md5_pgp.html.
      ---snip-----


      --
      Voytek
    Your message has been successfully submitted and would be delivered to recipients shortly.