vsftpd distribution site served backdoor

In early July 2011, Chris Evans warned that the master vsftpd download for vsftpd-2.3.4.tar.gz had been replaced with a backdoored tarball. Rapid7's Metasploit module later placed the introduction window between June 30 and July 1, with removal on July 3. The bad archive had SHA-256 2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5, and its detached GPG signature failed against Evans' signing key.

The delivery was the official source archive. The code change did not need a vulnerable parser or malformed FTP command. It changed the daemon being built, and the failed detached signature was the clean technical signal that the archive and release key no longer matched.

The payload was blunt and memorable. The diff showed str.c checking for the byte sequence 0x3a 0x29, the ASCII smiley :), and calling vsf_sysutil_extra(). The added function in sysdeputil.c created a TCP listener on port 6200, accepted a connection, duplicated it onto standard input, output, and error, then executed /bin/sh.

There was no installation beacon, which meant the attacker likely needed download logs, broad scanning, or prior knowledge of targets to find victims. Evans moved the project download to a more trusted host and published the warning with a diff reference so administrators could verify both source integrity and runtime exposure.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• Alert: vsftpd download backdooredscarybeastsecurity.blogspot.com
• Archived: Alert: vsftpd download backdooredweb.archive.org
• VSFTPD 2.3.4 Backdoor Command Executionrapid7.com
• Archived vsftpd 2.3.4 backdoor diffweb.archive.org
• vsftpd 2.3.4 backdoor diffpastebin.com
• GitHub: DoctorKisow/vsftpd-2.3.4github.com
• GitHub Advisory Database: CVE-2011-2523github.com
• vsftpd developer confirms backdoor in version 2.3.4computerworld.com