Slashdot Mirror

← Back to Stories (view on slashdot.org)

Freenode Network Hijacked, Passwords Compromised?

Posted by ryuzaki0 on from the hope-your-password-wasn't-important dept.

tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

6 of 414 comments (clear)

  1. Re:Good Riddance by SailorFrag · · Score: 4, Informative

    I was going to suggest something along those lines, but if you think about it... if the services database were compromised, even if there's hashing, then everyone's passwords might get out anyway. I don't think anything actually implied that they're stored plaintext.

    I hope not, at least.

  2. the cracker /nick'd to "nickserv" by ailaG · · Score: 3, Informative

    if you can pose as nickserv, some people will send you their password, thinking you're the real nickserv bot. the original identification command is to PM nickserv your password, assuming that nickserv is a nice bot that won't tell anyone. now, if someone poses as our nice little bot..

    --
    -= ailaG =-
  3. Re:yeah well by A.K.A_Magnet · · Score: 4, Informative
    *Don't auto ident during connect
    And if you auto-identify in your perform, do something like : /identify *pass* which is a server-side macro for "PRIVMSG NickServ@<services-fakeserver-hostname> :password".

    The IRC protocol allows to send messages to Nick@server (means "send a message to 'Nick' if and only if he's on 'server'"), so you can do the same with services. Then if the Nickserv nickname is hijacked, it won't matter, because the services "fake server" cannot be hijacked without knowledge of hub configuration (C/N lines) and if ever it happens, IRC admins/opers will notice (that's not something you can't miss).

    So either choose the macro (/identify) or the whole command. Or identify manually :)
  4. Re:What questions? by LoadWB · · Score: 3, Informative

    Pretty much why I quit IRC a number of years back. Not to be mistaken, IRC has many valuable functions and features -- beyond downloading warez and moviez -- but not for casual chat. If you know the specific channel to go to, you are most likely fine. But for the casual chatter, browse around open channels and you will invariably end up with mass invites, notices, spam, DOS, MSG/CTCP/DCC floods, and my favorite, the mIRC scripts sent via DCC.

    I only used mIRC briefly in my IRC career. It had little to no built-in protection at the time and I went back to AmIRC (Amiga.) Using WildIRC and Kuang11, AmIRC could not be beat. Later scripts for mIRC became much more solid and advanced, and I am sure the program is much better today?

    Brings back some memories, actually. Back around 1997 we used to use a simple ICMP ECHO (ping) packet with a payload of "+++ATH0". Anyone with a modem which did not follow the Hayes specification for the escape sequence (+++ followed by two seconds of "silence") would immediately hang up as the TCP/IP stack sent an ICMP ECHO RESPONSE with the same payload. Was great fun for two or three times.

  5. Re:Explaining the jargon... by EnsilZah · · Score: 5, Informative

    This really should have been moded informative, people need to work on their sense of meta-humour. =\

  6. Re:My thoughts.. by nenolod · · Score: 5, Informative

    Hi! I used to be freenode staff, and I figured I would comment on this.

    You obviously have no idea how freenode's infrastructure is managed -- the infrastucture isn't a land of ZOMG I BOUGHT SHELLZ FROM SHELLFX.NET garbage. Most of these servers exist solely to host freenode, do not use ssh passwords (instead private keys are used), and do not use the same passwords as lilo's o:line password.

    The fact is that they rooted servers close to freenode servers (i.e., on the same switch); then used ettercap to sniff o:line passwords. This was exacerbated by the fact that o:lines are (NOT masked *@*, but masked ?=levin@*), so basically all that had to be done was use the username levin, and boom you're opered up.

    That is what the issue is, the o:lines are insecure masked. Nothing more.

    HOWEVER, since they were sniffing, it is possible that they may have lifted services passwords as well -- people should probably change them. Then again, how do you know that they still aren't sniffing. Quite simply, nobody except the people behind this know.

    Also, the group freenode is dealing with is known as Bantown, which has a reputation of causing whatever hell they wish wherever they feel like doing so. So no, none of what you said is truly relevant, as this group is a tad more unpleasant than the GNAA is. Infact the GNAA is a bunch of nice guys in comparison to Bantown.