Vsftpd + 'ftp' user account access?

I maintain a few public facing anonymous FTP servers running vsftpd (2.0.5) using CentOS 5.x. The daemon configuration is pretty straight forward and tightened; no user or guest access, strictly anonymous + filtering via user_list and banned_emails.

Perhaps unbeknown to me (which I’m slightly ashamed of) we received a brash of new vulnerability assessment plugins for our security scanning software and when interrogating the authentication attempt one of these plugins tried against my anonymous FTP system, it allowed the login with the user ‘ftp’ and the password it gave it. (note, with my testing ‘any’ password I tossed at it with combination with ‘ftp’ as a username authenticated).

So I’m really confused why this is happening? I’ve re-checked my userlist_enable settings and entries in the userlist_file, set the ‘ftp’ system account with a shell of /sbin/nologin, and even went out on a limb and changed ftp_username to another user and removing the system ‘ftp’ account, all of which I thought were possibly related to why I could authenticate with that username on a anonymous-only FTP setup. Guess I was wrong.

It’s not a huge issue other than understanding why this is happening. I thought it was because the default system user that vsftpd was running as is ‘ftp’ but that’s not it. I’m quite baffled.

Steps to reproduce with ‘ftp’ username:

$ ftp localhost
Connected to localhost (127.0.0.1).
Name (localhost:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> exit
$

Step validating working of userlist and anonymous only by using an acct listed in userlist_file:

$ ftp localhost
Connected to localhost (127.0.0.1).
Name (localhost:root): bin
530 This FTP server is anonymous only.
Login failed.
ftp> exit
$

Any ideas welcome. Thanks.