Upon a routine look over my virtualmin box I noticed something very unnerving. Within /tmp sat a file called passwd.copy. Looking into this file I could see it was a copy of mu /etc/passwd file.
The file was owned by proftpd and created earlier today:
root@cp:~# stat /tmp/passwd.copy File: ‘/tmp/passwd.copy’ Size: 2776 Blocks: 8 IO Block: 4096 regular file Device: 13h/19d Inode: 133879265 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 112/ proftpd) Gid: (65534/ nogroup) Access: 2015-11-28 12:42:38.059295568 +0000 Modify: 2015-11-28 12:42:38.059295568 +0000 Change: 2015-11-28 12:42:38.059295568 +0000
Looking into this further I can see it seems to be related to the following exploit:
root@cp:~# proftpd -v ProFTPD Version 1.3.5rc3
People running Ubuntu could be effected by this. I would recommend people check there system.