Chris Evans, author of vsftpd announced that the master site for vsftpd was compromised and that the latest version of vsftpd (vsftpd-2.3.4.tar.gz) was backdoored.
The backdoor payload is interesting. In response to a 🙂 smiley face in the FTP username, a TCP callback shell is attempted. There is no obfuscation. More interestingly, there’s no attempt to broadcast any notification of installation of the bad package. So it’s unclear how victims would be identified; and also pretty much guaranteed that any major redistributor would notice the badness.
The official download was promptly moved to Google App Engine.
