
ProFTPD.org main FTP servers compromised using a 0day in..ProFTPD  - mfukar
http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org
======
forgotAgain
_attackers most likely used an unpatched security issue in the FTP daemon_

If they don't know exactly how the server was compromised I don't understand
how they can know the vulnerability is limited to software downloaded within a
certain timeframe. The added backdoor yes, but the vulnerability that allowed
the attack to succeed is still unaccounted for.

Or am I missing something?

~~~
moe
_how they can know the vulnerability is limited to software downloaded within
a certain timeframe._

It isn't. The bug has been in ProFTPd for years, here's the details:

<http://bugs.proftpd.org/show_bug.cgi?id=3521>

If anyone is running a ProFTPd version older than 1.3.3c then you should act
_now_. Your host is open to remote code execution.

------
DanHulton
Title is a little silly. What FTP server did you EXPECT them to be running?

~~~
mfukar
I've heard _vsftpd_ [1] is quite good. I certainly wouldn't expect them to be
running anything other than ProFTPD, of course, but being aware of
alternatives somewhat helps, no?

[1] <http://vsftpd.beasts.org/>

~~~
nailer
Indeed. When all the Linux distros kicked out WUFTPd from being the default
FTP server in the early 2000s due to security concerns, nearly every one
evaluated ProFTPd and VSFTPd against each other, and VSFTPd came out on top.

~~~
kahawe
I never really liked ProFTPd, it always seemed too huge and bloated.

My favorite has always been Pure-FTPd - it really has some neat features and
is very easy to setup and so far very reliable for me.

------
j2d2j2d2
People still use ftp?

~~~
roel_v
To the downvoter, it's a valid question. FTP needs to go away, it's just a
crap protocol that is totally out of place on today's internet.

~~~
j2d2j2d2
Thank you. I could've phrased it better, but it was serious.

Everyone knows it's unencrypted and HTTP is faster for simple file serving.
Right?

~~~
roel_v
I wish... Part of the problem is that FTP is still built into today's
browsers, so many people don't even know that they're using FTP, it's just a
link they click. Luckily IE removed support for password in FTP links a few
releases ago, but still.

HTTP is ok for small files, but I'm often on unreliable links with big files
to up/download, and browsers implement 'resume', ehm, let's just say 'not so
well' (it's a server thing too, to be honest). Anyway I've used scp for years
myself, and I've tried getting others to use it, too; I mean winscp isn't
harder than any ftp client. Some would grudgingly accept if I made them,
others would just say 'I can't up/download the files'. So I've given up on
that part of trying to improve the internet :(

------
rwmj
Happens to the best of them. What really matters is how deep the attackers got
beyond the FTP server, how quickly they can recover, and how quickly they can
get patches out to all users / versions affected.

~~~
mfukar
Indeed, and their response was lightning-fast, compared to today's standards.

