Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 5 Jul 2011 09:02:19 +0400
From: Solar Designer <solar@...nwall.com>
To: HD Moore <hdm@...italoffense.net>
Cc: oss-security@...ts.openwall.com, scarybeasts@...il.com
Subject: Re: vsftpd download backdoored

On Tue, Jul 05, 2011 at 08:21:12AM +0400, Solar Designer wrote:
> On Mon, Jul 04, 2011 at 11:04:00PM -0500, HD Moore wrote:
> > This copy is backdoored and has mtime Feb-15-2011. Chris didn't reply
> > when I asked him for a copy from his master (old/vsftpd-2.3.4.tar.gz).
> > 
> > http://download.polytechnic.edu.na/pub2/vsftpd/vsftpd-2.3.4.tar.gz
> 
> This is very helpful, thank you!  How did you find it?
> 
> So, I failed to get this server to give me ctime (looked at HTTP headers
> and also tried several FTP commands), and the mtime is Feb 15.  We could
> ask the server admins for the ctime.

I think I got the equivalent of the ctime by listing the mtime for ".".
It is Jul 01 22:35.  Not sure what timezone, though.  Some analysis of
other timestamps on that server suggests UTC-1, but Wikipedia says UTC+1
or +2 for Namibia.

So it appears that the backdoor was introduced between June 30 14:15 UTC
and July 1 23:35 UTC (probably before 21:35, though).

I think I'll stop wasting time on this...

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ