vsftpd-3.0.3-infected

As part of my venture to try and gain more understanding of C and C* (C#, C++, etc) languages I decided to look at the source code of vsFTPd. I stumbled upon the vsftpd-2.3.4-infected repository by nikdubois. Looking at the diff file identified the snippets of code that provided magic string checking and that spawned the shell. I decided to try and implement it in this version of vsFTPd and succeeded. Connecting to the infected service on port 21 and sending the input 'USER roodkcab:' and 'PASS (the password doesn't matter, just put anything in here)' will not result in a '530 Login incorrect.' message, but rather the service will stop responding to that particular connection (Any other connections are still served as normal). Instead, during the checking of the username for bad characters (specifically spaces), the function 'str_extra_check()' is called, resulting in a shell (/bin/sh) binding to port 50102 running as the user the server is running as (root in default installations). To avoid any warnings during compilation, both the backdoor and magic string checking are in the file str.c; in contrast to the backdoor in 2.3.4, which generated one warning during compilation because 'vsf_sysutil_extra' was not defined properly in str.c (but would be defined later in sysdeputil.c and as such the code worked as intended). The likely reason the 2.3.4 backdoor was setup like this was to try and avoid detection by skimming the source code (The compilation error was probably how it was found.). Putting all the code in str.c, however, makes it stick out like a sore thumb. (Having a ~19 line function in a file filled with 2 to 5 line functions tends to do that).