Hackers poison well of open-source FTP app Hackers breached the main server hosting ProFTPD and remained undetected for three days, causing anyone who downloaded the popular open-source file transfer application during that time to be infected with a backdoor that grants unauthorized access to their systems. The unknown attackers gained entry to ProFTPD's main …
I take it you don't run any commercial webservers then?
A lot of users expect to be able to update their websites via ftp. If you want to tell them they can't because it's insecure, you're just committing commercial suicide as many will take their business elsewhere.
However I do recommend strong firewall rules (block hosts that attempt multiple connections within a very short space of time) and of course, always keep up to date with patches and security bulletins
The baddies found a hole in the FTP server which allowed them to do unauthorized writes in the FTP directory. They used that to replace legit code offered for download with some code that contains a backdoor giving them full admin access to the systems running it. That's quite a different level of control.
vsftpd: Rah rah. ProFTPD has much more flexibility, for when things aren't simple.
Security: if you don't secure the data, rather than just the means of transmission, you end up in the news in even more embarrassing terms. Secure transmission between endpoints is not the end of security.
What if the source: source wasn't transgressed, just the downloadable tarball.
@Mike007: Correct logic, thank you. It was a process error, self-described as "a huge faux pas".
May all have the humility to realize that the human element is the weakest in all activities. Paranoia wins over pride every time.
>source wasn't transgressed, just the downloadable tarball.
Did you have a chance to look at the corrupt stuff? I tried to get it but couldnt find it.
I ask because from what I read its unclear whether the backdoor was added to the legit code, or replaced it entirely. In any case, for it to give root access to the whole system, it would need to be run as root, surely? Unless it contained some clever privilege escalation trick.
That brings me to my second point: Who in their right mind would download some code over anonymous FTP, then compile and run it as root without checking the code first? And why would anyone need to run a FTP daemon
-as root
-not jailed (or chrooted at the very least)
Surely creating user FTP part of group FTP and running the daemon from there is not too much effort, even for home users? Especially considering that said home users would have to compile the code, which requires basic tech savvy.
Surely anyone else would at least chroot the thing, too? Surely anyone able to chroot would know better than building a full-fledged system inside said chroot?
Not sure what the real threat was for the people who downloaded the corrupt file but it should have been close to none.
I dread the time when I pull my head out of the sand only to find that *NIX users show the same complacency as Windows users showed 15 years ago: "download from the web, run as root, YIIIIIIIIIHA!". Cowboys, cowboys everywhere! Please tell me that time hasn't come yet.
TL/DR: Human error, indeed.
> Did you have a chance to look at the corrupt stuff? I tried to get it but couldnt find it.
Google for 'ACIDBITCHEZ' and someone has 'helpfully' put up a diff.
> I ask because from what I read its unclear whether the backdoor was added to the legit code, or replaced it entirely.
Added 'alongside' the legit code, if you will. A side file, executed during installation. One doesn't want to obviously break the parasite infected package, so not even touching the software is best.
> In any case, for it to give root access to the whole system, it would need to be run as root, surely? Unless it contained some clever privilege escalation trick.
No clever trick at all, but executed at installation time, when one might just run "make install" as root, yes? You have done this sometime, haven't you?
> And why would anyone need to run a FTP daemon
-as root
-not jailed (or chrooted at the very least)
It does run quite nicely either as an 'ftp' user or using chroot at beginning of each user session. The FTP software was not the locus of the problem.
> Especially considering that said home users would have to compile the code, which requires basic tech savvy.
configure
make
sudo make install
> Not sure what the real threat was for the people who downloaded the corrupt file but it should have been close to none.
If your car doesn't start next time you turn the key, consider it 'commentary' on driving hazards ...
> TL/DR: Human error, indeed.
Yes, with histrionics thrown in for free.
"No clever trick at all, but executed at installation time, when one might just run "make install" as root, yes? You have done this sometime, haven't you?"
With code from the the Internet? No I haven't, That would have been incredibly stupid, why would I possibly want to do that? Certainly not to run a FTP demon, in any case.
You have the right to be a cretinous dumbass, but please don't assume we're all as stupid as you are.
"No clever trick at all, but executed at installation time, when one might just run "make install" as root, yes? You have done this sometime, haven't you?"
"With code from the the Internet? No I haven't, That would have been incredibly stupid, why would I possibly want to do that?"
Because that's what open source is?
Uh-oh, I guess you found the fatal flaw in the whole worldwide "open source" thing.
I only download executable binaries and bootable Linux CDs from the Internet, not source code, so I assume I'm safe, yes? :-)
Oh, and newsstand magazine cover-mounted discs. That's a totally secure channel.
"I guess the time has come. *nix people are now windoze-grade lusers."
Historically, this has been prevented by the way that Linux forums tend to treat newbies with such disdain.
This discourages all but the most highly motivated from adopting Linux - or more accurately, it DISCOURAGES them from ASKING QUESTIONS if they encounter problems. :(
Unfortunately, the side-effect of that, is that some newbies *do* continue to use Linux but just avoid asking questions about it because they are tired of being insulted or treated like dog crap or accused of being a troll, on some holier-than-thou Linux forum.
So they CONTINUE to use Linux *but* they REMAIN IGNORANT, thus potentially contributing to security issues because of their ignorance.
Linux old-timers really need to wake up and stop being so snobbish and stop treating newbies like dirt.
Also, certain segments of the Linux fans need to stop being so damn DEFENSIVE and stop doing stupid things like CLOSING THREADS when some newbie *innocently* asks an honest question that deserves an honest answer but only gets snide smart-ass non-helpful replies.
People (and Linux fans) would do well to realize that not every "dumb question" is posed by a troll - some "dumb questions" are posed by actual bona-fide Linux users who would like to learn more about their newly-chosen OS (Linux).
- Linux user since 2007, who learned long ago to steer clear of the damn so-called "help" forums and either figure things out on my own or not at all.
P.S.: Snobs and exclusivists in *any* category suck donkey balls.
????????
I mean, really?
Wow.
"Histrionics" all round, as you say.
The funniest part was "It does run quite nicely either as an 'ftp' user or using chroot at beginning of each user session. The FTP software was not the locus of the problem."
Ooooh yeah. Also, the organic locus is diificult to isolate, as we did not identify the regression parameters just yet. However, we are using neural networks to pinpoint real-time credentials in a floating-paradigm manner, and we will soon remember our own name. Perhaps. Some day.
Also you seem happy to run unverified code as root. You are aware that "sudo make install" is equivalent to the "run install.exe" of yesteryears, aren't you? I. e. it labels you as a... person who runs install.exe stuff without thinking. Funny thing is, although you clearly have no clue appart from basic Google info, it seems you feel entitled to give advice, for some obscure reason.
Impressive.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
