oss-sec mailing list archives
Re: vsftpd download backdoored
From: HD Moore <hdm () digitaloffense net>
Date: Mon, 04 Jul 2011 22:31:07 -0500
On 7/4/2011 9:26 PM, Solar Designer wrote:
On Tue, Jul 05, 2011 at 10:09:32AM +0800, Eugene Teo wrote:I did not verify. (09:55:37 AM) hdmoore: The timestamp on vsftpd-2.3.4.tar.gz http://bit.ly/j4VC5y indicates that the backdoor was present from Feb 15th -> July 3rd (via mc)Looks unrealistic to me. Feb 15 is when 2.3.4 was released by Chris. A copy I downloaded has mtime Feb 15 (preserved from the official download site) and ctime Mar 2 (when I downloaded it). It passes the GPG signature check and lacks the backdoor. Additionally, searching for the SHA-256 digest that Chris posted reveals only copies of his announcement of the incident and news stories about it. No hits for any distro's filelists, etc. I wish we had MD5 and SHA-1 to also search for, though. I don't have a copy of the backdoored vsftpd tarball to compute those, but we can ask Chris for them. My gut feeling is that the backdoored tarball has been on the site for 1 to 3 days. But I could be wrong.
Thanks for the CC -- as a guess as to what happened; was this particular mirror compromised and the original tarball modified (along with its mtime) to match the original Feb 15th date? Does anyone have a "we noticed it first" flag that is before July 3rd? Debian (and most other repos) are storing the SHA-256/SHA1/MD5 of each source package, so a Feb 15 date does seem incredible, but so does the complete pwnage of a non-official mirror with the original mtime, at the same moment as an official dist server compromise. A nightly rsync would account for this, but we would need to know more about the mirror structure from Chris. I am happy to correct the metasploit module if new facts arrive; thank you to everyone who spends their free time dealing with this crap. -HD
Current thread:
- vsftpd download backdoored Solar Designer (Jul 03)
- Re: vsftpd download backdoored Moritz Muehlenhoff (Jul 04)
- Re: vsftpd download backdoored Solar Designer (Jul 04)
- Re: vsftpd download backdoored Eugene Teo (Jul 04)
- Re: vsftpd download backdoored Solar Designer (Jul 04)
- Re: vsftpd download backdoored HD Moore (Jul 04)
- Re: vsftpd download backdoored Solar Designer (Jul 04)
- Re: vsftpd download backdoored HD Moore (Jul 04)
- Re: vsftpd download backdoored Solar Designer (Jul 04)
- Re: vsftpd download backdoored Solar Designer (Jul 04)
- Re: vsftpd download backdoored HD Moore (Jul 04)
- Re: vsftpd download backdoored Solar Designer (Jul 04)
- Re: vsftpd download backdoored Solar Designer (Jul 04)
- Re: vsftpd download backdoored Matthias Andree (Jul 05)
- Re: vsftpd download backdoored Moritz Muehlenhoff (Jul 04)
- Re: vsftpd download backdoored Chris Evans (Jul 06)
- Re: vsftpd download backdoored Eugene Teo (Jul 05)
- Re: vsftpd download backdoored Solar Designer (Jul 05)