Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Open Source Security Software News IT

ProFTPD.org Compromised, Backdoor Distributed 152

Posted by CmdrTaco from the scary-world-we-live-in dept.
Orome1 writes "A warning has been issued by the developers of ProFTPD, the popular FTP server software, about a compromise of the main distribution server of the software project that resulted in attackers exchanging the offered source files for ProFTPD 1.3.3c with a version containing a backdoor. It is thought that the attackers took advantage of an unpatched security flaw in the FTP daemon in order to gain access to the server."
This discussion has been archived. No new comments can be posted.

ProFTPD.org Compromised, Backdoor Distributed More

ProFTPD.org Compromised, Backdoor Distributed

Comments Filter:

  • Re:FTP (Score:5, Interesting)

    by jimicus ( 737525 ) on Thursday December 02, 2010 @11:55AM (#34417922)

    I have been asked on a number of occasions to set up an FTP server.

    You would not believe the trouble I have had suggesting SSH/SCP - even from people who develop on Unix and use SSH to log in all day long. I've tried providing a web interface, I've tried providing a link to WinSCP, I've tried pre-installing WinSCP on the person's PC before it even goes on their desk.

    In almost every case, it was pretty damn obvious that the person asking for an FTP server had already decided that they were going to have an FTP server, and would not even discuss the idea that there might be alternatives.

  • Re:Should have used vsftpd (Score:3, Interesting)

    by Anonymous Coward on Thursday December 02, 2010 @01:22PM (#34419454)

    Well... VSFTPd has had its share of problems, too, y'know. Speaking of... it's actually currently suffering from an exploitable "feature" (as the author insists on calling it) that allows attackers to very rapidly and without restraint mine legit usernames from the host running VSFTPd. I reported this, along with patch, in 2007. Hole not plugged yet - 'coz it's a "feature".

    Could you be more specific? The only thing remotely resembling what you're describing that I know of is that vsftpd used to respond differently to a good username/bad password combo than a bad username/password combo, thus revealing which usernames were valid. It did this because this vulnerability is part of the FTP specification--in order to fix this, you needed to violate the spec. vsftpd fixed this issue many years ago because they decided the spec was stupid and not worth following in this instance (i.e. it now requests a password for usernames that don't exist). Not sure about other FTP servers.

    I follow vsftpd development very closely and know of no known/unaddressed weaknesses.

Slashdot Top Deals

So... did you ever wonder, do garbagemen take showers before they go to work?

Close