ProFTPD Compromised Source Packages Trojaned Distribution
Critical Nessus Plugin ID 50989
SynopsisThe FTP server contains a backdoor allowing execution of arbitrary code.
DescriptionThe remote host is using ProFTPD, a free FTP server for Unix and Linux.
The version of ProFTPD installed on the remote host has been compiled with a backdoor in 'src/help.c', apparently related to a compromise of the main distribution server for the ProFTPD project on the 28th of November 2010 around 20:00 UTC and not addressed until the 2nd of December 2010.
By sending a special HELP command, an unauthenticated, remote attacker can gain a shell and execute arbitrary commands with system privileges.
Note that the compromised distribution file also contained code that ran as part of the initial configuration step and sent a special HTTP request to a server in Saudi Arabia. If this install was built from source, you should assume that the author of the backdoor is already aware of it.
SolutionReinstall the host from known, good sources.