Signature Detail

TROJAN: ProFTPD Backdoor Activation Command

This signature detects the behavior of an attacker attempting to activate the backdoor installed in ProFTPD. A successful attack on a vulnerable server would result in arbitrary code execution as the root user. The software is distributed as source code from ftp.proftpd.org and other secondary distribution servers that mirror its content. For a three-day period from November 28th, 2010 to December 1st, 2010, the source code was modified to include a Trojan backdoor feature.

Extended Description

ProFTPD is prone to an unauthorized-access vulnerability due to a backdoor in certain versions of the application. Exploiting this issue allows remote attackers to execute arbitrary system commands with superuser privileges. The issue affects the ProFTPD 1.3.3c package downloaded between November 28 and December 2, 2010. The MD5 sums of the unaffected ProFTPD 1.3.3c source packages are as follows: 8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2 4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz Files with MD5 sums other than those listed above should be considered affected.

Affected Products

• ProFTPD Project ProFTPD 1.3.3c

References

• BugTraq: 45150
• URL: http://cyberinsecure.com/proftpd-distribution-server-compromised-for-3-days-sources-backdoored-with-root-shell/