Upgrade to a newer version of vsftpd, such as 2.3.5 or later, which includes a patch for this vulnerability. You can download the latest version from the official vsftpd website or your distribution's package repository.
netstat -tulpn | grep :21 ps aux | grep vsftpd
Before fixing, verify if your system is vulnerable. You can use community-maintained Nmap NSE scripts or Python scripts found on GitHub.
In July 2011, an unknown attacker compromised the master download server for vsftpd and replaced the legitimate v2.3.4 source code archive with a weaponized version. How the Exploit Works vsftpd 208 exploit github fix
Version 2.0.8 was never backdoored. The exploit name is a misnomer.
unsigned int i; - if (src->len == 2 && src->buf[0] == ':' && src->buf[1] == ':') - system("/bin/sh"); for (i = 0; i < src->len; i++) dest->buf[i] = toupper(src->buf[i]);
This workaround disables write access to the chroot directory, which prevents exploitation of the vulnerability. Upgrade to a newer version of vsftpd, such as 2
The vulnerability exists because a malicious actor injected code into the sysdeputil.c file of the vsftpd 2.3.4 source code. The Trigger
. The infected archive was quickly identified and removed from the master site.
Or for a running process:
: Always verify the PGP signatures or SHA256 checksums when downloading software from third-party repositories.
nmap -sV -p21 <TARGET_IP>
and allows unauthenticated root access via a simple username trigger. You can use community-maintained Nmap NSE scripts or
Navigate to a trusted mirror or verified GitHub repository containing the official, un-backdoored vsftpd source code (such as the patched versions maintained by major Linux distributions or trusted security researchers). git clone https://github.com cd vsftpd Use code with caution.
The most effective fix is to update to the latest stable release (e.g., vsftpd 3.0.x), where this backdoor does not exist. PwnHouse/OSVDB-73573/README.md at master - GitHub