The ProFTPD Project team yesterday reported that these servers were hosting the compromised version of the ProFTPD 1.3.3c source code, which runs on Unix and Unix-like systems. "All users who run versions of ProFTPD which have been downloaded and compiled in this time window are strongly advised to check their systems for security compromises and install unmodified versions of ProFTPD," the team posted on its site. They also provided a link for users to check the integrity of their ProFTPD code.
According to an analysis of the breach, the likely entry point for the attackers was an unpatched security hole in the FTP server daemon, which gave them access to the server, where the attackers then swapped out the legitimate code with their backdoored version. The breach was discovered and fixed yesterday.
"By placing a backdoor into the source code of ProFTPD, the attacker was probably interested in potentially gaining access to thousands of other FTP servers, as ProFTPD is a very popular software that is installed on millions of servers," says Chaouki Bekrar, CEO and head of research at VUPEN Security. "Any new server installation performed using the backdoored version of ProFTPD can be remotely compromised."
The backdoor malware gave the attackers remote, full root access to any systems that had downloaded the compromised FTP open-source server software.
VUPEN's Bekrar says incidents of backdoors being added to software are rare. "While adding a backdoor to a compromised source is reliable, it is highly visible. A more dangerous attack scenario would be adding a vulnerability to a software by simply changing a word or a letter from its source code, and it would be very difficult for the project maintainers to detect such changes," he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.