Date: Tue, 5 Jul 2011 09:02:19 +0400 From: Solar Designer <solar@...nwall.com> To: HD Moore <hdm@...italoffense.net> Cc: oss-security@...ts.openwall.com, scarybeasts@...il.com Subject: Re: vsftpd download backdoored On Tue, Jul 05, 2011 at 08:21:12AM +0400, Solar Designer wrote: > On Mon, Jul 04, 2011 at 11:04:00PM -0500, HD Moore wrote: > > This copy is backdoored and has mtime Feb-15-2011. Chris didn't reply > > when I asked him for a copy from his master (old/vsftpd-2.3.4.tar.gz). > > > > http://download.polytechnic.edu.na/pub2/vsftpd/vsftpd-2.3.4.tar.gz > > This is very helpful, thank you! How did you find it? > > So, I failed to get this server to give me ctime (looked at HTTP headers > and also tried several FTP commands), and the mtime is Feb 15. We could > ask the server admins for the ctime. I think I got the equivalent of the ctime by listing the mtime for ".". It is Jul 01 22:35. Not sure what timezone, though. Some analysis of other timestamps on that server suggests UTC-1, but Wikipedia says UTC+1 or +2 for Namibia. So it appears that the backdoor was introduced between June 30 14:15 UTC and July 1 23:35 UTC (probably before 21:35, though). I think I'll stop wasting time on this... Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ