More than one million ProFTPD servers have been found vulnerable to remote code execution and stolen data attacks that could be accessed through a successful arbitrary file copy vulnerability. A ProFTPD server is an open-source and cross-platform FTP server that supports most Unix-like systems and windows. The primarily targeted server is the Unix-based platforms along with Pure-FTPd and vsftpd. All ProFTPD versions, including the latest version, are impacted by this vulnerability that allows remote attackers to execute arbitrary code without the need to authenticate, and with user rights after successful exploitation. Currently, there are over one million vulnerable servers across the globe with over 200,000 being US-based. With that many vulnerable servers, it makes a very appealing target for hackers to exploit. Current attacks found include attackers infecting the vulnerable servers with the new Watchbog Trojan that utilizes the server for crypto mining. The fact that this vulnerability has only just been released and that attacks are being carried out serves as proof to the speed at which hackers are capable of abusing flaws.
Analyst Notes
Currently, there is no patch from the ProFTPd’s security team, but they have released a workaround. Server administrators are recommended to immediately disable the mod_copy module in the ProFTPD configuration file.
