Popular FTP package download tarball poisoned A backdoor has been discovered in the source code of a widely used FTP package. Version 2.3.4 of the source code for vsftpd – billed as probably the most secure and fastest FTP server for Unix-like systems – was replaced with a compromised version with an invalid signature. The dodgy tarball version of the code was uploaded …
"Therefore, perhaps someone was just having some lulz instead of seriously trying to cause trouble."
Tampering with a piece of software that handles the logging into FTP servers to edit websites and web apps is actually malicious and should be treated seriously. For all we know the code could have been hijacking the credentials being used on the infected client.
"it is unlikely that too many of the tech-savvy users of vsftpd fell victim to the hack. "
Wc reports >16k lines in the source files. Fairly compact but how many are going to look through them before invoking make?
Even if you wrote "Please note that this distribution contains malicious code" in the INSTALL file, I doubt that few would notice. This is human nature.
The magic command is:
gpg --verify downloaded.tar.bz2.sign
If downloaded.tar.bz2 does not match the signature, gpg will scream. If the signature matches, but was not made by a key you have previously marked as trusted, gpg will scream.
Newbies will start with an empty list of trusted signatures. A simple way to get started is to download everything, then wait a month or two for reports of bad signatures to hit the news. If there is no news then you can have some confidence that you downloaded trustworthy public keys.
The string on the same page (which has therefore by definition been compromised)?
A public key also stored on the same page?
Why aren't the keys checked by a package manager (how most people install these things)? Why aren't they in some way securely distributed (DNSSEC hosted?)
If say you had (by fair means or foul), root access to a popular FTP server, and you noticed from the logs that a lot of interesting users were using outdated versions of vsftpd, and you had a way of notifying those users to update, in the welcome message for example, then a headless hack like this takes on a whole new aspect.
Simply assuming that someone would go to all the trouble of poisoning a source depository just for the lols is a bit unimaginative.
I would be looking for the FTP servers that respond with :) in their handshakes personally, that might give us a clue as to what's going on.
Try walking through a security checkpoint at an airport and casually say something like "Gee, I hope Abdul remembered to take that bomb out of my laptop!"
Then say "I was just saying that for the lulz!"
See how far it gets you.
Mucking around with repositories is always a serious security attack - after all, this might have just been a test run...
Run the hash; for Checksum changes; doing MD5 hash comparison would have given away any nasty re-packing efforts.
I run the Hash check on everything I download. There's many neat little programs/apps you can use to do these checks.
You can't loose; Always match MD5 to check for file changes.
Or you start getting lots of false positives because people fail to rigorously post their updates and hashes together. The kind of companies that are constantly posting a stream of bug fix versions are the very ones that also manage to screw up the hashes a decent percentage of the time - because they are too lazy to check themselves.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
