Unix and Linux → FYI - BitchX backdoor

In case anyone just downloaded bitchx.

There has been reports on various lists about an hour ago that ircii-pana-1.0c19.tar.gz on the bitchx.com ftp has been backdoored with a reverse telnet.

interesting remark on the bitchx website:

quote:

---

*WARNING*
source and binaries not downloaded from an official distribution site such as this one may be backdoored. Use un- safe files at your own risk.

---

thanks for the heads-up, paul.

said by subcultured:

---

interesting remark on the bitchx website:

quote:

---

*WARNING*
source and binaries not downloaded from an official distribution site such as this one may be backdoored. Use un- safe files at your own risk.

---

thanks for the heads-up, paul.

---

I should have been more clear. According to the the email, the official ftp distributions has been compromised. The email just hit the archive. It can be found here.

»online.securityfocus.com ··· -07-04/0

It gets better... From the Securityfocus report:

To add a little more to this; we've confirmed that if you come off of what appears to be a cablemodem/dsl IP you are likely to get a trojan'd copy. If you come off of a more static link, you are likely to get a clean copy...

...This indicates that someone has (at least) also tampered with the FTP server software itself; most likely the server has been rooted.

Looks like someone had a big plan for some sort of DDOS attack and was hoping to use home users with high-speed internet connections.

Hmm. Very strange. I wouldn't think they'd target the UNIX/Linux population, as in general they're a little more concious about such things than windoze people. The idiot should have done it to mIRC and he would have gotten better results...

They *can't* do it to mIRC, for example, because it's closed-source !

Ahhh, being "open" does have it's downfalls... A really smart person can find an exploit because he has access to the code. In some cases, he may be the only person who's discovered it (yet) and could take advantage of it. The changes made to BitchX though are rather trivial since it only involves the 'configure' script.

Is EPIC or ircii vulnerable, too? (I use EPIC) BitchX is supposedly based on EPIC, I believe.

said by Hall:

---

They *can't* do it to mIRC, for example, because it's closed-source !

---

Not really. mIRC has been trojaned before. This isn't an exploit, this is a modification of the real program. Plenty easy to do with mIRC as well. Hack up the installer to install mIRC + your trojan/zombie.

This wasn't enabled by open source, it was enabled by sloppy security.

said by sporkme:

---

Not really. mIRC has been trojaned before. This isn't an exploit, this is a modification of the real program. Plenty easy to do with mIRC as well. Hack up the installer to install mIRC + your trojan/zombie.

---

Details ?? I'm not doubting you, but I want to see if the wrong thing isn't getting blamed. How did someone get access to the installer the mIRC uses ?? Did they "re-package" mIRC themselves and get people to download and install their version ?? If so, they didn't have to *touch* the mIRC program itself. I'm curious...

There are many repackaged programs out there. The actual program itself was not backdoored, but the installer was rewritten to plant and execute and extra file. Another reason to only download from the official site, or official mirrors.

said by jadenjahner:

---

Another reason to only download from the official site, or official mirrors.

---

except for this case. It was the official site that was hacked. The official mirror was not yet updated so that site contained the unmodified source.

I meant for sporkme/hall. But you are right in BitchX's case. Boy, script kiddies sure have great lives