Version 2.0.8 was released in 2007 as a standard maintenance update. Or so the world thought.
On July 1, 2011, security researchers noticed something alarming. The official vsftpd 2.0.8 source code tarball (compressed archive) available on the master site had been compromised. An unknown attacker had gained access to the distribution server and replaced the legitimate vsftpd-2.0.8.tar.gz with a malicious version. vsftpd 2.0.8 exploit github
ftp anonymous / anonymous (or blank) to list files, potentially accessing sensitive /home or configuration files. Version 2
Stapler: 1 * vsftpd 2.0.8 or later. * OpenSSH 7.2p2. * MySQL 5.7.12-0ubuntu1. * PHP cli server 5.5. * Samba 4.3.9. vsftpd-backdoor-exploit/README.md at main - GitHub The official vsftpd 2
An attacker sends a large number of CWD (Change Working Directory) commands.
Edit /etc/vsftpd.conf and set anonymous_enable=NO . 4. Other Historical Vulnerabilities