wu-ftpd tarball shipped backdoor

In March 1994, copies of the wuarchive ftpd source distribution were found to have been modified at trusted FTP distribution points. The compromised source affected at least wu-ftpd 2.2, and CERT later warned that version 2.1f and possibly earlier versions may also have been exposed. The practical risk was severe for the era: administrators could compile what looked like normal upstream FTP daemon source and unknowingly install a root-level backdoor.

The delivery was the normal source-fetch and compile path for an FTP daemon. The attacker did not need to exploit a running wu-ftpd instance first. The archive itself was the exploit vehicle, and the installed daemon carried the result.

CERT's advisory told sites running wuarchive ftpd to install version 2.3 or disable the FTP daemon, and it published checksums so administrators could distinguish known-good and trojaned archives. A contemporary comp.unix.admin thread captured how quickly the incident became a reference point for open-source distribution trust: operators discussed the backdoored FTP daemon, compared it with earlier trusting-trust ideas, and treated the official source channel itself as the compromised boundary.

The risk was amplified by where wu-ftpd ran. FTP servers were public-facing infrastructure, often built locally by administrators and run with privileges that made a source-level backdoor immediately valuable. Once the archive was trusted, the attacker did not need a second delivery mechanism.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• CERT Advisory CA-1994-07: wuarchive ftpd Trojan Horsecert.org
• wuftpd backdoor notesweb.archive.org
• comp.unix.admin: wuarchive ftpd Trojangroups.google.com