Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Found In UnrealIRCd Source Archive

Posted by timothy on from the channel-is-pwn3d dept.

l_bratch writes "A malicious backdoor was added to the UnrealIRCd source archive some time around November 2009. It was not noticed for several months, so many IRC servers are likely to be compromised. A Metasploit exploit already exists."

16 of 174 comments (clear)

  1. It's nice that they're honest. by allaunjsilverfox2 · · Score: 5, Insightful

    This is the kind of behavior that I like to see when someone screws up. Don't be secretive. Don't try to deny it happened. Fess up and make sure people know. *applauds*

    --
    Restore the madness of youth's lechery
    1. Re:It's nice that they're honest. by Abcd1234 · · Score: 3, Insightful

      Well, unless you're Google, in which case you're raked over the coals and accused of being at the right hand of the devil himself...

    2. Re:It's nice that they're honest. by davester666 · · Score: 5, Funny

      It could be worse... You could be the guy at Microsoft that was ordered to write this exploit and then insert it into the codebase without getting caught.

      --
      Sleep your way to a whiter smile...date a dentist!
    3. Re:It's nice that they're honest. by Lobachevsky · · Score: 4, Informative

      Closed source software has similar problems with disgruntled employees. Only difference is that the company when finding the backdoor quietly fixes it and gags anyone from going to the media about it.

    4. Re:It's nice that they're honest. by Runaway1956 · · Score: 4, Insightful

      Embarassing, in that, "Yes we screwed up, and we shouldn't have." or embarassing as in, "Oh shit, open source really isn't any better than security through obfuscation!"?

      If you mean the first, I'm with you. We all screw up - and sometimes we need a reminder that we can't duck, or blame on someone else to keep us on our toes.

      If you mean the second, well, I call bullshit. Several people have already pointed out that closed source shops are frequently the victims of malware. You can find a half dozen gadgets or softwares that have been SHIPPED FROM THE FACTORY with malware of some kind, just in the last year.

      Personally, I really prefer the situation at Unreal. It's open source. Everyone who gives a small damn had the opportunity to check it out. Anyone could have run any number of monitoring tools on the software, and caught it doing it's thing. When it was found, the administrators made an announcement. I like honesty and open communications.

      It's a helluva lot better than, for example, a closed source shop pushing an update to your telephone which opens your communications up to government monitoring. The only way THAT was discovered, was the relatively dramatic decrease in battery life immediately after the update was pushed.

      To each his own though. Those who put their faith in corporate masters are welcome to buy only proprietary stuff. I'll go with open source whenever possible!!

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    5. Re:It's nice that they're honest. by jibjibjib · · Score: 3, Insightful
      Maybe (in fact, almost certainly) Google wanted to capture every packet, measure its signal strength and collect statistics to get more detailed maps of wireless networks than what a simple "3 lines" script would provide. Why would you discount that as not being "credible", but instead accept the even more incredible possibility that (despite until now being a legitimate business) they're involved in some sort of international conspiracy to illegally use random people's private wi-fi data?

      A common way of mapping wireless networks is using software like Kismet, which is in fact what Google used, and which in its default configuration saves all packets received. If you claim it must be true that "some evil is involved" because they used standard widely used software rather than your 3-line script, you don't know what you're talking about.

    6. Re:It's nice that they're honest. by keeboo · · Score: 4, Insightful

      3) was not included in the Debain repos, despite there being a willing maintainer, because of poor code quality- see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515130

      The lack or presence of a software in Debian does not mean anything about its quality.
      Unfortunately there are are people, among the Debian devel, who are more political assholes than proper developers.

      An example of utter garbage present in Debian is pdns (the software itself collapses after running for few hours, even minutes, depending on your load). Yet, each new Debian release contains a new version of that software. -- And that's not the only case.

    7. Re:It's nice that they're honest. by Zigurd · · Score: 4, Informative

      The parent post here found the key fact: If you check article, in fact it confirms the back door was NOT in the source code. Someone replaced some mirrors, and due to lack of a signature, got away with it for a long time.

      This event does not repudiate the protections of having source code available to inspect, and having project governance that reviews code. It does suggest people should be careful about which mirrors they use and how signatures are checked.

      --
      I wrote parts of this stuff
  2. Re:Remember, kids! by Stupendoussteve · · Score: 5, Informative

    Actually, the hash was not modified from when they posted the true source. Anybody who would have checked it would have recognized that something was wrong.

  3. Re:Open source by Stupendoussteve · · Score: 3, Insightful

    How is it a weakness? It's a weakness of the admin, but being open source didn't somehow make it easier to get malicious code into the source. People could just as easily hijack a binary file (and there's a good chance it would go unnoticed for a longer time).

  4. Re:Open source by tsj5j · · Score: 5, Informative

    Read the original linked source. The source repositories were not compromised; rather, the mirror servers were. The mirror servers had the tarballs replaced with malicious code.

  5. Re:The remediation advice is wrong by poppycock · · Score: 4, Insightful

    Yes, of course. Because its not even conceivable that the intruder has any local exploits.

  6. Well yes... by Anonymous Coward · · Score: 5, Insightful

    First, as others have said, the Unreal guys handled this intelligently and properly, so bravo for that.

    Secondly, no offense to them, but the Unreal guys wouldn't have had this issue if they regularly verified mirrors. The Unreal guys have been less active in the past few years though, and their software is primarily used by many smaller networks, often with less experience as the IRCd is a bit slow and the codebase is long in the teeth (they're looking to replace this). Something like this was really bound to happen for their team. That said, still good work.

    Thirdly, this is why IRC is never ran on its official low numbered port, but on 6667 - there is NO REASON to run IRCd as root - I don't care how safe you think the code is - it's too huge of a target.

    So hopefully, anyone sane shouldn't have had more than a sandbox compromised, the patch the Unreal guys released will fix this, and we can all get on with stuff.

    Just a few thoughts, oh, and IAAI and IAAIP (I am an IRCop and I am an IRCd Programmer).

    1. Re:Well yes... by caluml · · Score: 3, Insightful

      I am looking at it the other way around. There is not really any reasons now to require root access in order to listen on ports below 1024.

      Amen. I'm glad I'm not the only one. In this day and age, where anyone can run a Unix box, the whole "root under 1024" thing is redundant. http://calum.org/posts/root-to-bind-to-ports-under-1024.

      Make it a damn kernel config option at the very least, and let me decide.

      --
      Get your own free personal location tracker
  7. Re:The remediation advice is wrong by mysidia · · Score: 5, Funny

    May I remind you that the Windows binaries are unaffected?

  8. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion