Ironically, to place their back door, the attackers used a zero day vulnerability in ProFTPD itself, which the developers were using to make the source code available to users. The modification was carried out on the 28th November and discovered and reverted on 1st December. Because the project's main server, which also feeds various mirrors via rsync, was affected, the modified code has probably been delivered via official mirrors right up until today.
The link for this article located at H Security is no longer available.