14 DAY TRIAL // Unidentified attackers have managed to backdoor the official vsftpd source package prompting the project's administrator to issue an alert and switch hosting providers.
Vsftpd is a popular FTP daemon used by some important open source projects. It is developed and maintained by reputed vulnerability researcher Chris Evans.
"Earlier today, I was alerted that a vsftpd download from the master site (vsftpd-2.3.4.tar.gz) appeared to contain a backdoor," Evans announced on his blog on Sunday.
According to the security engineer, the backdoor attempts to create a TCP callback shell when the rogue instance receives a ":)" (smiley face) request.
The attacker did not include a method of being notified of vulnerable installations, so they probably didn't care about mass compromise.
It's likely they were interested in a certain party deploying the backdoored version, or, as Evans says, they were just having some lulz.
Since vsftpd packages are redistributed by various Linux distros, it is highly probable that the backdoor would have been detected in before reaching users.
Some of the high-profile FTP servers based on vsftpd include ftp.redhat.com, ftp.suse.com, ftp.debian.com, ftp.freebsd.com, ftp.gnu.org, ftp.gnome.org, ftp.kde.org, ftp.kernel.org, ftp.gimp.org, and ftp.isc.org.
The backdoored package did not match the signature published on the official website for vsftpd-2.3.4, outlining the importance of checking download signatures.
To prevent similar compromises in the future Evans moved the vsftpd site and downloads to a hosting platform which he considers more secure: Google's App Engine.
It's worth noting that vsftpd is not the only project that had to deal with such a compromise. Last December, the maintainers of the ProFTPD project discovered that their distribution server was compromised and sources backdoored.