BitchX 1.0c19 IRC Client Backdoored

JRAC writes "A recent Bugtraq submission has indicated that the popular IRC client, BitchX, contains a backdoor. So far, only certain 1.0c19 files, downloaded from ftp.bitchx.com are reported to contain the malicious code. The BitchX developers have been notified, so hopefully a fix will be issued soon. Looks like irssi wasn't the only one ;)"

Please read the article...

[Snard]

The linked article gives a bit more insight into the REAL problem... It appears that someone has hacked the FTP server, and it is now serving up a trojan'ed copy of the aforementioned BitchX distribution, but only part of the time (based on the IP address and/or connectivity of the client). Rather sneaky...

Anyway, I guess this is a good reason to have some sort of "signing" on your distribution.

Re:Who's this?

[jhampson]

Ack! is the .pl the domain for Palestine? The Feds are right, we ARE being cyber-attacked!

watch out!

[Marque_Off]

According to the bugtraq post, when you downloaded the file, sometimes you received the backdoored version, and other times you didn't. From the post, "There is something very strange going on with the FTP server on BitchX.com serving trojaned and clean versions, depending on the originating IP, demonstrating that the slachcode maintainers have silently fixed this on slashdot.org and resulted in most of the problem in CVS but have not even mentioned it anywhere that I can find. This leaves all sites using slash vulnerable to this exploit.

An example exploit (incomplete) is as follows: I am dissapointed that the server had been 0wned (more than likely). Sad that the developers didn't notice sooner, and it makes you wonder how many boxes have now additionally been 0wned (more than likely). Sad that the server had been 0wned (more than likely).

Will it take to find such backdoor if this software was closed-source? That's one of the site being taken down for an hour or so. The maintainers of slashcode have patched the problem in CVS but have not even mentioned it anywhere that I can find.

There is a nasty large man calling himself 'big mamma' vuln in Slashcode. This was used a day or so go on slashdot.org yet made no mention of the problem elsewhere so that other sites can patch themselves. Thats a bitch No wonder there are so many "trolls" on slashdot.org...ah well. If you come off of what appears to be client / client-behavior based (we're not sure exactly what)."

Re:Who's this?

[Ark42]

According to http://www.iana.org/assignments/ipv4-address-space Its a RIPE IP, and according to http://www.ripe.net/perl/whois/

inetnum: 213.77.115.0 - 213.77.115.255
netname: DATACOM
descr: Datacom
descr: Warszawa Bemowo
country: PL
admin-c: AW7760-RIPE
tech-c: RW7118-RIPE
status: ASSIGNED PA
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

route: 213.77.0.0/16
descr: TPNET (PL)
descr: Provider Local Registry
origin: AS5617
notify: konradpl@zt.piotrkow.tpsa.pl
mnt-by: AS5617-MNT
changed: konradpl@zt.piotrkow.tpsa.pl 20000728
source: RIPE

person: Arkadiusz Wrobel
address: "DataCOM" S. A.
address: ul Radiowa 21a m20
address: 01 - 485 Warszawa
address: POLAND
phone: +48 606 298639
fax-no: +48 22 6672495
e-mail: awrobel@wat.waw.pl
nic-hdl: AW7760-RIPE
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

person: Rafal Wrzosek
address: "DataCOM" S. A.
address: ul Kaliskiego 11a /312
address: 01 - 485 Warszawa
address: POLAND
phone: +48 606 145187
fax-no: +48 22 6672495
e-mail: awrobel@wat.waw.pl
nic-hdl: RW7118-RIPE
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

Re:Who's this?

[andyr]

% See http://www.ripe.net/ripencc/pub-services/db/copyri ght.html

inetnum: 213.77.115.0 - 213.77.115.255
descr: Datacom
descr: Warszawa Bemowo
country: PL
admin-c: AW7760-RIPE
tech-c: RW7118-RIPE
status: ASSIGNED PA
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE