Forgot your password?
typodupeerror
Open Source Security Software News IT

ProFTPD.org Compromised, Backdoor Distributed 152

Posted by CmdrTaco
from the scary-world-we-live-in dept.
Orome1 writes "A warning has been issued by the developers of ProFTPD, the popular FTP server software, about a compromise of the main distribution server of the software project that resulted in attackers exchanging the offered source files for ProFTPD 1.3.3c with a version containing a backdoor. It is thought that the attackers took advantage of an unpatched security flaw in the FTP daemon in order to gain access to the server."
This discussion has been archived. No new comments can be posted.

ProFTPD.org Compromised, Backdoor Distributed

Comments Filter:
  • Re:FTP (Score:4, Insightful)

    by kyrio (1091003) <slashdot@@@lurkmore...com> on Thursday December 02, 2010 @09:44AM (#34416210) Homepage
    I'm pretty sure the unpatched security flaw was the protocol itself. Plain text passwords FTW.
  • by digitaldc (879047) * on Thursday December 02, 2010 @09:46AM (#34416222)
    Isn't there some type of review process for all changes? Or can you just go in and change things willy-nilly?

    Maybe they need some more code oversight, just my opinion.
  • Quite. (Score:5, Insightful)

    by Spad (470073) <slashdotNO@SPAMspad.co.uk> on Thursday December 02, 2010 @09:49AM (#34416264) Homepage

    To confirm their integrity, they are advised to verify the MD5 sums and PGP signatures of the downloaded files and compare them to that of the legitimate source tarballs.

    Because the people who compromised your server and uploaded a trojaned version of your software would *never* think to upload their own MD5 sums and PGP signatures to match...

  • by fuzzyfuzzyfungus (1223518) on Thursday December 02, 2010 @10:00AM (#34416400) Journal
    I suspect that the real problem would be chicken-and-egg adoption issues. Anybody with competence in the right area could probably bang out a functioning prototype firefox plugin addressing either the cases of SSLed sites also being expected sign their binaries with their existing SSL setup, or the FOSSier case of developers signing with their GPG keys and posting MD5 hashes in approximately an afternoon.

    Trouble is, unless broadly and swiftly adopted, people won't see the "this package is not cryptographically verified" message as being problematic in the slightest, if that is the case, the attacker can simply not sign, and nobody will care(the current situation on Windows, which offers cryptographic verification of installers before install is largely this way. Enough outfits, even fairly respectable ones, just don't bother, that the security gains are minimal, despite the mechanism being technically and mathematically sound). If you make the message scarier and/or harder to get around, people will just go with something that doesn't get in their way. Only if lack of signature was considered a shocking fault would anybody really be saved...

    Architecturally and mathematically, the solution works just fine; but it fails on the critical adoption mass problem...

3500 Calories = 1 Food Pound

Working...