oss-sec mailing list archives

Re: vsftpd download backdoored

From: Solar Designer <solar () openwall com>
Date: Tue, 5 Jul 2011 06:26:44 +0400

On Tue, Jul 05, 2011 at 10:09:32AM +0800, Eugene Teo wrote:

I did not verify.

(09:55:37 AM) hdmoore: The timestamp on vsftpd-2.3.4.tar.gz
http://bit.ly/j4VC5y indicates that the backdoor was present from Feb
15th -> July 3rd (via mc)


Looks unrealistic to me.  Feb 15 is when 2.3.4 was released by Chris.
A copy I downloaded has mtime Feb 15 (preserved from the official
download site) and ctime Mar 2 (when I downloaded it).  It passes the
GPG signature check and lacks the backdoor.

Additionally, searching for the SHA-256 digest that Chris posted reveals
only copies of his announcement of the incident and news stories about
it.  No hits for any distro's filelists, etc.  I wish we had MD5 and
SHA-1 to also search for, though.  I don't have a copy of the backdoored
vsftpd tarball to compute those, but we can ask Chris for them.

My gut feeling is that the backdoored tarball has been on the site for
1 to 3 days.  But I could be wrong.

Alexander

Current thread:

vsftpd download backdoored Solar Designer (Jul 03)
- Re: vsftpd download backdoored Moritz Muehlenhoff (Jul 04)
  - Re: vsftpd download backdoored Solar Designer (Jul 04)
    - Re: vsftpd download backdoored Eugene Teo (Jul 04)
    - Re: vsftpd download backdoored Solar Designer (Jul 04)
    - Re: vsftpd download backdoored HD Moore (Jul 04)
    - Re: vsftpd download backdoored Solar Designer (Jul 04)
    - Re: vsftpd download backdoored HD Moore (Jul 04)
    - Re: vsftpd download backdoored Solar Designer (Jul 04)
    - Re: vsftpd download backdoored Solar Designer (Jul 04)
    - Re: vsftpd download backdoored HD Moore (Jul 04)
    - Re: vsftpd download backdoored Solar Designer (Jul 04)
    - Re: vsftpd download backdoored Matthias Andree (Jul 05)
    - Re: vsftpd download backdoored Chris Evans (Jul 06)
    - Re: vsftpd download backdoored Eugene Teo (Jul 05)

(Thread continues...)