ProFTPD site served backdoored source

Around 20:00 UTC on November 28, 2010, attackers compromised ProFTPD's main distribution server, ftp.proftpd.org, which also acted as the project's rsync source for official mirrors. They replaced ProFTPD 1.3.3c source archives with modified copies, so anyone downloading from the official site or mirrors through December 2 could receive poisoned source through the normal project channel.

Delivery happened twice: first through the source archive, then through the build. The modified configure path compiled tests/tests.c and ran it, so a builder could call out before a daemon was installed. The runtime daemon carried a separate patch in src/help.c.

The backdoor had two faces. At build time, the modified configure script compiled and ran tests/tests.c, which attempted an HTTP callback to 212.26.42.47 on port 9090. At runtime, a patch in src/help.c gave unauthenticated users root shell execution when they issued HELP ACIDBITCHEZ. The published diff and hashes turned the incident into a compact lesson in source-release trust: a project server, a mirror network, and a small source patch were enough to turn a widely deployed FTP daemon into a root shell.

ProFTPD's response was to tell users to verify checksums and replace any 1.3.3c source obtained during the exposure window. That is the practical cleanup burden in source-distribution attacks: downstream packagers and administrators have to ask not only which version they built, but which copy of that version they built from.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• Backdoor sneaked into ProFTPD source codetheregister.com
• Open source ProFTPD hacked, backdoor planted in source codezdnet.com
• Exploits/proftpd-1.3.3c-backdooraldeid.com
• ProFTPD source archive backdooredlwn.net
• ProFTPD Backdoor Discoveredlinux-magazine.com