Open-Source Project Server Hacked, Software Rigged With Backdoor Trojan

ProFTPD File Transfer server software compromised by attackers; anyone who downloaded it between Nov. 28 through Dec. 2 most likely at risk

The main FTP server that serves up the open-source ProFTPD FTP software was hacked and booby-trapped with a backdoor Trojan -- meaning anyone who downloaded the code during the past few days from the server or its mirror servers could be running a compromised copy of the software that would allow the attacker full access to his systems.

The ProFTPD Project team yesterday reported that these servers were hosting the compromised version of the ProFTPD 1.3.3c source code, which runs on Unix and Unix-like systems. "All users who run versions of ProFTPD which have been downloaded and compiled in this time window are strongly advised to check their systems for security compromises and install unmodified versions of ProFTPD," the team posted on its site. They also provided a link for users to check the integrity of their ProFTPD code.

According to an analysis of the breach, the likely entry point for the attackers was an unpatched security hole in the FTP server daemon, which gave them access to the server, where the attackers then swapped out the legitimate code with their backdoored version. The breach was discovered and fixed yesterday.

"By placing a backdoor into the source code of ProFTPD, the attacker was probably interested in potentially gaining access to thousands of other FTP servers, as ProFTPD is a very popular software that is installed on millions of servers," says Chaouki Bekrar, CEO and head of research at VUPEN Security. "Any new server installation performed using the backdoored version of ProFTPD can be remotely compromised."

The backdoor malware gave the attackers remote, full root access to any systems that had downloaded the compromised FTP open-source server software.

VUPEN's Bekrar says incidents of backdoors being added to software are rare. "While adding a backdoor to a compromised source is reliable, it is highly visible. A more dangerous attack scenario would be adding a vulnerability to a software by simply changing a word or a letter from its source code, and it would be very difficult for the project maintainers to detect such changes," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights