Vsftpd is FTP server for UNIX systems, including Linux. It is said to be secured and extremely fast. Chris Evans (scary_beast) confirmed that version 2.3.4 of the vsftpd was compromised and a backdoor was added to the source code. Chris revealed it on his blog. He is the author of vsftpd and was alerted on Sunday to the fact that a bad tarball had been downloaded from the vsftpd master site with an invalid GPG signature. It is not known how long the bad code had been online. The bad tarball included a backdoor in the code which would respond to a user logging in with a user name “:)” by listening on port 6200 for a connection and launching a shell when someone connects.
As a precautionary measure, Chris has moved the project source code to https://security.appspot.com/vsftpd.html, a Google App Engine hosted site. “There is no obfuscation. More interestingly, there’s no attempt to broadcast any notification of installation of the bad package. So it’s unclear how victims would be identified; and also pretty much guaranteed that any major redistributor would notice the badness. Therefore, perhaps someone was just having some lulz instead of seriously trying to cause trouble” says Chris. Its a good sign that this backdoor was identified. But a not a good sign for the users who may have downloaded it on a time being as its still unclear since how long the backdoor was inserted.