Vsftpd backdoor discovered in source code - update
Chris Evans, aka Scary Beasts, has confirmed that version 2.3.4 of vsftpd's downloadable source code was compromised and a backdoor added to the code. Evans, the author of vsftpd – which is described on its web site as "probably the most secure and fastest FTP server for Unix-like systems" – was alerted on Sunday to the fact that a bad tarball had been downloaded from the vsftpd master site with an invalid GPG signature. It is not known how long the bad code had been online.
The bad tarball included a backdoor in the code which would respond to a user logging in with a user name ":)" by listening on port 6200 for a connection and launching a shell when someone connects.
Evans has now moved the source code and site to https://security.appspot.com/vsftpd.html, a Google App Engine hosted site. The GPL-licensed source code can be downloaded (direct download) from the same site, along with the GPG signature for validating the download, a step that Evans recommends. Evans says that the lack of obfuscation and lack of victim identification leads him to believe that "perhaps someone was just having some lulz instead of seriously trying to cause trouble".
Update - Analysis of the tarball with the backdoor indicates that the archive was online for between 2 and 3.5 days and was created on Ubuntu 11.04. "Solar Designer", Alexander Peslyak, examined the archive and derived the date and OS using timestamps and content of files in the archive. He also established the last modified time of the FTP parent directory based on a mirror.
- Very Secure FTP Daemon - now even safer, a report from The H.