Feeds

back to article Hackers poison well of open-source FTP app

Hackers breached the main server hosting ProFTPD and remained undetected for three days, causing anyone who downloaded the popular open-source file transfer application during that time to be infected with a backdoor that grants unauthorized access to their systems. The unknown attackers gained entry to ProFTPD's main …

COMMENTS

This topic is closed for new posts.
Linux

Alternates

Glad I use vsftpd :)

0
0
FAIL

Security? FTP?

Sorry, but if you use FTP for anything but anonymous downloads, you can't be serious about security in the first place...

0
2
WTF?

So...

I take it you don't run any commercial webservers then?

A lot of users expect to be able to update their websites via ftp. If you want to tell them they can't because it's insecure, you're just committing commercial suicide as many will take their business elsewhere.

However I do recommend strong firewall rules (block hosts that attempt multiple connections within a very short space of time) and of course, always keep up to date with patches and security bulletins

2
0
Anonymous Coward

SFTP

Most modern FTP clients have been supporting SFTP for some time. I've had pretty good results by just telling clients that SFTP is the "next-version" of FTP. Now if only I'd get them to use keys rather than passwords my day would be made.

2
0

ProFTPd supports SFTP

It's one of the few FTP servers to support SFTP for virtual users rather than just Unix accounts, which in normal circumstances would be plenty secure enough (barring backdoored source code of course).

0
0
Grenade

what if?

what if their site wasn't hacked and someone dropped and the back door into their their source code and no one spotted until after it was distributed? we were haxord is a pretty default/easy excuse these days.

2
0

hmm

i'd guess they were running an older version on their own servers (after having patched a security flaw?) - if they had found a vulnerability in the latest version, why would they need to replace the download with a version with an extra back door added?

1
0
Silver badge

hmm... or not

The baddies found a hole in the FTP server which allowed them to do unauthorized writes in the FTP directory. They used that to replace legit code offered for download with some code that contains a backdoor giving them full admin access to the systems running it. That's quite a different level of control.

1
0

ahh

that makes sense... i guess that would be classed as a very indirect form of privilege escalation attack, just escalating privileges on a different server to the compromised one

0
0
Alert

Sigh

vsftpd: Rah rah. ProFTPD has much more flexibility, for when things aren't simple.

Security: if you don't secure the data, rather than just the means of transmission, you end up in the news in even more embarrassing terms. Secure transmission between endpoints is not the end of security.

What if the source: source wasn't transgressed, just the downloadable tarball.

@Mike007: Correct logic, thank you. It was a process error, self-described as "a huge faux pas".

May all have the humility to realize that the human element is the weakest in all activities. Paranoia wins over pride every time.

1
1
Silver badge

Re: Sight

>source wasn't transgressed, just the downloadable tarball.

Did you have a chance to look at the corrupt stuff? I tried to get it but couldnt find it.

I ask because from what I read its unclear whether the backdoor was added to the legit code, or replaced it entirely. In any case, for it to give root access to the whole system, it would need to be run as root, surely? Unless it contained some clever privilege escalation trick.

That brings me to my second point: Who in their right mind would download some code over anonymous FTP, then compile and run it as root without checking the code first? And why would anyone need to run a FTP daemon

-as root

-not jailed (or chrooted at the very least)

Surely creating user FTP part of group FTP and running the daemon from there is not too much effort, even for home users? Especially considering that said home users would have to compile the code, which requires basic tech savvy.

Surely anyone else would at least chroot the thing, too? Surely anyone able to chroot would know better than building a full-fledged system inside said chroot?

Not sure what the real threat was for the people who downloaded the corrupt file but it should have been close to none.

I dread the time when I pull my head out of the sand only to find that *NIX users show the same complacency as Windows users showed 15 years ago: "download from the web, run as root, YIIIIIIIIIHA!". Cowboys, cowboys everywhere! Please tell me that time hasn't come yet.

TL/DR: Human error, indeed.

0
0

Deep breath, deep breath... now that we're calmer

> Did you have a chance to look at the corrupt stuff? I tried to get it but couldnt find it.

Google for 'ACIDBITCHEZ' and someone has 'helpfully' put up a diff.

> I ask because from what I read its unclear whether the backdoor was added to the legit code, or replaced it entirely.

Added 'alongside' the legit code, if you will. A side file, executed during installation. One doesn't want to obviously break the parasite infected package, so not even touching the software is best.

> In any case, for it to give root access to the whole system, it would need to be run as root, surely? Unless it contained some clever privilege escalation trick.

No clever trick at all, but executed at installation time, when one might just run "make install" as root, yes? You have done this sometime, haven't you?

> And why would anyone need to run a FTP daemon

-as root

-not jailed (or chrooted at the very least)

It does run quite nicely either as an 'ftp' user or using chroot at beginning of each user session. The FTP software was not the locus of the problem.

> Especially considering that said home users would have to compile the code, which requires basic tech savvy.

configure

make

sudo make install

> Not sure what the real threat was for the people who downloaded the corrupt file but it should have been close to none.

If your car doesn't start next time you turn the key, consider it 'commentary' on driving hazards ...

> TL/DR: Human error, indeed.

Yes, with histrionics thrown in for free.

2
2
Anonymous Coward

Ho Ho Ho

"No clever trick at all, but executed at installation time, when one might just run "make install" as root, yes? You have done this sometime, haven't you?"

With code from the the Internet? No I haven't, That would have been incredibly stupid, why would I possibly want to do that? Certainly not to run a FTP demon, in any case.

You have the right to be a cretinous dumbass, but please don't assume we're all as stupid as you are.

0
4
Silver badge

1????????

????????

I mean, really?

Wow.

"Histrionics" all round, as you say.

The funniest part was "It does run quite nicely either as an 'ftp' user or using chroot at beginning of each user session. The FTP software was not the locus of the problem."

Ooooh yeah. Also, the organic locus is diificult to isolate, as we did not identify the regression parameters just yet. However, we are using neural networks to pinpoint real-time credentials in a floating-paradigm manner, and we will soon remember our own name. Perhaps. Some day.

Also you seem happy to run unverified code as root. You are aware that "sudo make install" is equivalent to the "run install.exe" of yesteryears, aren't you? I. e. it labels you as a... person who runs install.exe stuff without thinking. Funny thing is, although you clearly have no clue appart from basic Google info, it seems you feel entitled to give advice, for some obscure reason.

Impressive.

0
2
Bronze badge

Incredibly stupid

"No clever trick at all, but executed at installation time, when one might just run "make install" as root, yes? You have done this sometime, haven't you?"

"With code from the the Internet? No I haven't, That would have been incredibly stupid, why would I possibly want to do that?"

Because that's what open source is?

Uh-oh, I guess you found the fatal flaw in the whole worldwide "open source" thing.

I only download executable binaries and bootable Linux CDs from the Internet, not source code, so I assume I'm safe, yes? :-)

Oh, and newsstand magazine cover-mounted discs. That's a totally secure channel.

3
1
Megaphone

@Notas Badoff

You've just been pwned, I'm afraid, and rightly so.

1
0
Silver badge

I _did_ find the fatal flaw

Sudo

And lack of oversight.

That is all.

Why would you sudo some unverified code? Most source code will run just fine without root privilege.

I guess the time has come. *nix people are now windoze-grade lusers.

Sight...

0
0
Anonymous Coward

Take that!

>It does run quite nicely either as an 'ftp' user or using chroot at beginning of each user session.

So it's completely safe. We are professionnals, we know what we are doing. What is this "computer" thing you are talking about, again?

0
0
Alert

Linux exclusiveness discourages newbies, but ENCOURAGES lusers

"I guess the time has come. *nix people are now windoze-grade lusers."

Historically, this has been prevented by the way that Linux forums tend to treat newbies with such disdain.

This discourages all but the most highly motivated from adopting Linux - or more accurately, it DISCOURAGES them from ASKING QUESTIONS if they encounter problems. :(

Unfortunately, the side-effect of that, is that some newbies *do* continue to use Linux but just avoid asking questions about it because they are tired of being insulted or treated like dog crap or accused of being a troll, on some holier-than-thou Linux forum.

So they CONTINUE to use Linux *but* they REMAIN IGNORANT, thus potentially contributing to security issues because of their ignorance.

Linux old-timers really need to wake up and stop being so snobbish and stop treating newbies like dirt.

Also, certain segments of the Linux fans need to stop being so damn DEFENSIVE and stop doing stupid things like CLOSING THREADS when some newbie *innocently* asks an honest question that deserves an honest answer but only gets snide smart-ass non-helpful replies.

People (and Linux fans) would do well to realize that not every "dumb question" is posed by a troll - some "dumb questions" are posed by actual bona-fide Linux users who would like to learn more about their newly-chosen OS (Linux).

- Linux user since 2007, who learned long ago to steer clear of the damn so-called "help" forums and either figure things out on my own or not at all.

P.S.: Snobs and exclusivists in *any* category suck donkey balls.

0
0
This topic is closed for new posts.