Signature Detail

TROJAN: ProFTPD Backdoor Phone Home Beacon

This signature detects the behavior of a ProFTPD server running code that has a backdoor installed as the code "Phones Home" to indicate it is vulnerable. A successful attack on a vulnerable server can result in arbitrary code execution as the root user. The source IP address of this attack is the vulnerable host that should be updated immediately. The software is distributed as source code from ftp.proftpd.org and other secondary distribution servers that mirror its content. For a three-day period from November 28th, 2010 to December 1st, 2010, the source code was modified to include a Trojan backdoor feature.

Extended Description

ProFTPD is prone to an unauthorized-access vulnerability due to a backdoor in certain versions of the application. Exploiting this issue allows remote attackers to execute arbitrary system commands with superuser privileges. The issue affects the ProFTPD 1.3.3c package downloaded between November 28 and December 2, 2010. The MD5 sums of the unaffected ProFTPD 1.3.3c source packages are as follows: 8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2 4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz Files with MD5 sums other than those listed above should be considered affected.

Affected Products

• ProFTPD Project ProFTPD 1.3.3c

References

• BugTraq: 45150
• URL: http://cyberinsecure.com/proftpd-distribution-server-compromised-for-3-days-sources-backdoored-with-root-shell/