a vulnerable FTP Server in the wild


This was discovery by chance.

I was giving a workshop and while demonstrating some features of nmap i justused the name of a company in the area.

Without intending this there where some things to discover and to learn.

Obviously I informed the company immediatly of my findings and the problems have since been fixed.

So lets look into i step by step.

Lets start with a simple portscan:

There is one thing to notice here already: they run all kind of services on on server. Mail, FTP, Web, etc.

That means: as soon as one service can be compromised, all the services on that server are at serious risk.

Lets look for the versions of the services with the -sV switch.

and here we quickly see it: the FTP Server seems worth looking at.

searchsploit ProFTPD 1.3.3c

We can also look online on https://www.exploit-db.com/

Conveniently enough we see that there should be a metasploit module for this version of proFTP.

So lets start metasploit and have a look.

we can look into the info of the module:

This module exploits a malicious backdoor that was added to the 
ProFTPD download archive. This backdoor was present in the
proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th 2010 and
2nd December 2010.

So we stop here but it seems pretty certain that we could quite easily compromise the FTP Server.

And since The web and mail services run on the same machine these services are also at serious risk.

As it turns out this FTP Server started as a quick workaround to exchange assets with a content agency and was not maintained.

And as a result it put the whole communication infrastructure of the company at serious risk.

A good example of how little things can have dramatic implications for the cyber  security of a company.

Leave a Reply

Your email address will not be published. Required fields are marked *