Overview
vsftpd is an open-source FTP server used on Linux/Unix systems. Between June 30th 2011 and July 3rd 2011 a backdoor was injected into the source code.
What is a Backdoor?
Imagine a house like your home. You probably have one main entrance - the front door. But imagine if somewhere at the back of your home you had a secret entrance that allows you to sneak in and out undetected.
A backdoor is a method of accessing a system by bypassing normal authentication and entering through a hidden access point. They allow an attacker to have persistent remote access. In other words, an attacker can enter and exit your system as they please!
Backdoors can be introduced accidentally during the development of an application or the design of a system. An attacker can also inject a backdoor into a software update. This is what happened to vsftpd 2.3.4.
How It Works
In the compromised source file, a function would check for the hex values 0x3A & 0x29 — the hex representations of : and ). Together they form a smiley face :), which is why this vulnerability is sometimes referred to as the “smiley face backdoor.”
If a login attempt contains these values, it will open a shell on port 6200/tcp. An attacker can then access the system through this backdoor.
Remediation
vsftpd 2.3.4 is no longer in use. However, if you find a machine running this version, update it to the latest version immediately.
In the context of backdoor attacks, consider the following:
Detection
- Network analysis of unusual outbound connections out of a system.
- Endpoint Detection and Response (EDR) monitoring.
- Unusual administrative behaviour can be an indication of outbound activity.
Prevention
- Implement the principal of least privilege and zero trust by verifying identities and limiting access to resources.
- Maintain a strong software patch update routine. Install patches to vulnerabilities when they are available.
- Develop secure development practices that prevent developers from accidentally or intentionally introducing a backdoor.