Re: vsftpd download backdoored

[Solar Designer <solar () openwall com>]

On Tue, Jul 05, 2011 at 08:21:12AM +0400, Solar Designer wrote:
> On Mon, Jul 04, 2011 at 11:04:00PM -0500, HD Moore wrote:
> > This copy is backdoored and has mtime Feb-15-2011. Chris didn't reply
> > when I asked him for a copy from his master (old/vsftpd-2.3.4.tar.gz).
> >
> > http://download.polytechnic.edu.na/pub2/vsftpd/vsftpd-2.3.4.tar.gz
>
> This is very helpful, thank you!  How did you find it?
>
> So, I failed to get this server to give me ctime (looked at HTTP headers
> and also tried several FTP commands), and the mtime is Feb 15.  We could
> ask the server admins for the ctime.

I think I got the equivalent of the ctime by listing the mtime for ".".
It is Jul 01 22:35.  Not sure what timezone, though.  Some analysis of
other timestamps on that server suggests UTC-1, but Wikipedia says UTC+1
or +2 for Namibia.

So it appears that the backdoor was introduced between June 30 14:15 UTC
and July 1 23:35 UTC (probably before 21:35, though).

I think I'll stop wasting time on this...

Alexander