Hacker on the Prowl - wuftpd is vulnerable

Albert E. Whale, CISSP
Honored Contributor

Hacker on the Prowl - wuftpd is vulnerable

I have just tracked a hacker and found that they are penetrating through the wu-ftpd package.

Apparently the site exec command is being used to hack into servers.

Cert issued the advisery CA-2000-13 in November of last year:

Please update your ftp software immediately!
Sr. Systems Consultant @ ABS Computer Technology, Inc. &

Re: Hacker on the Prowl - wuftpd is vulnerable

There is a Red Hat specific attack in the form of the Ramen Worm, that targets wu-ftp as well as rpc.statd and LPRng.

There's nothing fdisk can't fix
Steven Sim Kok Leong
Honored Contributor

Re: Hacker on the Prowl - wuftpd is vulnerable


wu-ftpd 2.6.0-14.6x and beyond is not vulnerable to the site-exec exploit. A safer bet would be to upgrade to wu-ftpd 2.6.1. Even though the wu-ftpd 2.6.1 RPM is not available on RedHat 6.X, the source (tarball downloadable) can be smoothly compiled and implemented on RedHat 6.X. wu-ftpd 2.6.1 source can be downloaded from

One note about wu-ftpd 2.6.1. The recent security advisory from SANS warns of the privatepw vulnerability specific to wu-ftpd 2.6.1. However, the privatepw vulnerability won't affect you if you don't use the 'private' feature which allows SITE GROUP and SITE GPASS.

Advisory extract:
*** {00.56.019} Cross - wu-ftpd privatepw temp file race condition

The privatepw application that shipped with wu-ftpd version 2.6.1 uses insecure temp file handling, which results in a local race condition.

Hope this helps. Regards.

Steven Sim
Brainbench MVP for Unix Admin