ProFTPD Distribution Server Compromised and Sources Backdoored

Unknown attackers managed to compromise the main distribution server of the ProFTPD Project and rigged the source code with a root shell backdoor.

ProFTPD is a very popular open source FTP daemon (server) capable of running on most UNIX-like systems including Linux, BSD, Mac OS X and Solaris.

The software is distributed as source code from ftp.proftpd.org and other secondary distribution servers that mirror its content.

According to an announcement on the project’s website, the intrusion on ftp.proftpd.org happened sometime on November 28, but it wasn't detected until today.

“All users who run versions of ProFTPD which have been downloaded and compiled in this time window are strongly advised to check their systems for security compromises and install unmodified versions of ProFTPD,” the project’s administrators write.

In an email to the proftpd-user mailing list, TJ Saunders, the ProFTPD maintainer, notes that attackers most likely exploited an unpatched security flaw in the FTP software to get in.

This is an interesting theory given that the ftp.proftpd.org has since been restored, but no alert of a zero-day critical vulnerability was issued.

Notable public FTP servers that use the ProFTPD software include ftp.apple.com, ftp.openssl.org and ftp.rsa.com.

With the newly gained access, the hackers modified the source code of ProFTPD 1.3.3c to include a backdoor that would allow them to obtain root shells on systems running the compromised version.

According to French vulnerability research company VUPEN Security, the backdoor can be activated by sending a command called "HELP ACIDBITCHEZ" to the FTP server and authentication is not necessary.

“The unauthorized modification of the source code was noticed by Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on Wednesday, December 1 and fixed shortly afterwards,” Saunders notes.