vsftpd Smiley Face Backdoor

Critical Nessus Plugin ID 55523


The remote FTP server contains a backdoor, allowing execution of arbitrary code.


The version of vsftpd running on the remote host has been compiled with a backdoor. Attempting to login with a username containing :) (a smiley face) triggers the backdoor, which results in a shell listening on TCP port 6200. The shell stops listening after a client connects to and disconnects from it.

An unauthenticated, remote attacker could exploit this to execute arbitrary code as root.


Validate and recompile a legitimate copy of the source code.

See Also



Plugin Details

Severity: Critical

ID: 55523

File Name: vsftpd_smileyface_backdoor.nasl

Version: $Revision: 1.5 $

Type: remote

Family: FTP

Published: 2011/07/06

Modified: 2014/12/26

Dependencies: 10092, 11153

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

Excluded KB Items: global_settings/supplied_logins_only

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/07/03

Vulnerability Publication Date: 2011/07/03

Exploitable With

Metasploit (VSFTPD v2.3.4 Backdoor Command Execution)

Reference Information

BID: 48539

OSVDB: 73573

EDB-ID: 17491