ProFTPD Compromised Source Packages Trojaned Distribution

critical Nessus Plugin ID 50989


The FTP server contains a backdoor allowing execution of arbitrary code.


The remote host is using ProFTPD, a free FTP server for Unix and Linux.

The version of ProFTPD installed on the remote host has been compiled with a backdoor in 'src/help.c', apparently related to a compromise of the main distribution server for the ProFTPD project on the 28th of November 2010 around 20:00 UTC and not addressed until the 2nd of December 2010.

By sending a special HELP command, an unauthenticated, remote attacker can gain a shell and execute arbitrary commands with system privileges.

Note that the compromised distribution file also contained code that ran as part of the initial configuration step and sent a special HTTP request to a server in Saudi Arabia. If this install was built from source, you should assume that the author of the backdoor is already aware of it.


Reinstall the host from known, good sources.

See Also

Plugin Details

Severity: Critical

ID: 50989

File Name: proftpd_1_3_3c_backdoor.nasl

Version: 1.16

Type: remote

Family: FTP

Published: 12/6/2010

Updated: 3/27/2020

Dependencies: ftpserver_detect_type_nd_version.nasl

Risk Information

Risk Factor: Critical

CVSS Score Source: manual

CVSS Score Rationale: Score from a more in depth analysis done by tenable

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/2/2010

Vulnerability Publication Date: 12/2/2010

Exploitable With

Metasploit (ProFTPD-1.3.3c Backdoor Command Execution)

Reference Information

BID: 45150

EDB-ID: 15662