attackers most likely used an unpatched security issue in the FTP daemon
If they don't know exactly how the server was compromised I don't understand how they can know the vulnerability is limited to software downloaded within a certain timeframe. The added backdoor yes, but the vulnerability that allowed the attack to succeed is still unaccounted for.
I've heard vsftpd [1] is quite good. I certainly wouldn't expect them to be running anything other than ProFTPD, of course, but being aware of alternatives somewhat helps, no?
Indeed. When all the Linux distros kicked out WUFTPd from being the default FTP server in the early 2000s due to security concerns, nearly every one evaluated ProFTPd and VSFTPd against each other, and VSFTPd came out on top.
I wish... Part of the problem is that FTP is still built into today's browsers, so many people don't even know that they're using FTP, it's just a link they click. Luckily IE removed support for password in FTP links a few releases ago, but still.
HTTP is ok for small files, but I'm often on unreliable links with big files to up/download, and browsers implement 'resume', ehm, let's just say 'not so well' (it's a server thing too, to be honest). Anyway I've used scp for years myself, and I've tried getting others to use it, too; I mean winscp isn't harder than any ftp client. Some would grudgingly accept if I made them, others would just say 'I can't up/download the files'. So I've given up on that part of trying to improve the internet :(
I wish everyone knew. I also thought FTP was a 20th century relic, until I started doing freelance web development full-time. It turns out FTP is still the preferred (and often only) way to manage web sites with the cheap shared hosting plans that small businesses gravitate to.
I started a group on Facebook called "7 Billion Strong Against FTP" to cope. 6,999,999,993 more to go.
People still use ftp. The farther you get from the startup world, the more people use it. They lock it down with firewalls, put it behind NAT, and encrypt it with ssl. And sometimes try to do all three to both ends at the same time. There's one big headache for you.
I've been trying my hardest to kill ftp with all the people I have to deal with, but it's entrenched. We'll still be dealing with it when we have mind/computer interfaces, and it'll still be a pain in the ass. (that's probably the data connection, the control connection will some in somewhere else)
OK I am going to bite... what should "people" use instead?
SCP/SFTP? Adds quite an overhead and puts more load on the server; I have never reached even nearly the same dl rate with scp/sftp that I would get with ftp and we are talking lame 2 Megabytes/s here.
HTTP? I'd like to be able to resume and I want the nice comfort of being able to download a whole file structure with a single click. I am not going to click on 10000 single links in a browser.
Other than that I cannot think of an alternative to list here but I would be very happy and thankful if you could point me to a few.
Happens to the best of them. What really matters is how deep the attackers got beyond the FTP server, how quickly they can recover, and how quickly they can get patches out to all users / versions affected.
If they don't know exactly how the server was compromised I don't understand how they can know the vulnerability is limited to software downloaded within a certain timeframe. The added backdoor yes, but the vulnerability that allowed the attack to succeed is still unaccounted for.
Or am I missing something?