Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane

From: Matthew Jonkman <jonkman-KR6O7HwU5NEj81HyF2mgTp7yRHBCnCMy <at> public.gmane.org>
Subject: Proftpd Rules
Newsgroups: gmane.comp.security.ids.snort.emerging-sigs
Date: Thursday 2nd December 2010 17:01:15 UTC (over 8 years ago)
Interesting but unfortunate developments at ProFTPD. They had a
distribution server compromised and two backdoors inserted into the code
for version 1.3.3c. Downloads from 11/28/2010 through 12/2/2010 may be
affected. I highly recommend reinstalling if you have installed lately.

More information at these links:

http://www.proftpd.org/

http:''www.net-security.org/secworld.php?id=10243

http://slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed

We are publishing the following three rules immediately for coverage. I
recommend reacting quickly if you get hits, these are pretty fool proof.


alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET CURRENT_EVENTS
Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; classtype:
trojan-activity;
reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/;
reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org;
reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed;
sid:2011992; rev:2;)



alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET CURRENT_EVENTS
ProFTPD Backdoor outbound Request Sent"; flow:established,to_server;
content:"GET /AB"; classtype: trojan-activity;
reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed;
reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/;
reference:url,
sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org;
sid:2011993; rev:1;)



alert tcp any any -> $HOME_NET 21 (msg:"ET CURRENT_EVENTS ProFTPD Backdoor
Inbound Backdoor Open Request (ACIDBITCHES)"; flow:established,to_server;
content:"HELP ACIDBITCHES"; depth:16; nocase; classtype: trojan-activity;
reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed;
reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/;
reference:url,
sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org;
sid:2011994; rev:1;)

Highly recommend running these asap. These are in the open ruleset.

Pushing the tarball momentarily.

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc
 
CD: 19ms