BitchX 1.0c19 IRC Client Backdoored 338
JRAC writes "A recent Bugtraq submission has indicated that the popular IRC client, BitchX, contains a backdoor. So far, only certain 1.0c19 files, downloaded from ftp.bitchx.com are reported to contain the malicious code. The BitchX developers have been notified, so hopefully a fix will be issued soon. Looks like irssi wasn't the only one ;)"
Who's this? (Score:5, Informative)
Re:The name.... (Score:3, Informative)
Re:Who's this? (Score:4, Informative)
netname DATACOM
descr Datacom
descr Warszawa Bemowo
country PL
admin-c AW7760-RIPE
tech-c RW7118-RIPE
status ASSIGNED PA
mnt-by AS5617-MNT
changed tkielb@cst.tpsa.pl 20000915
source RIPE
(stupidly formatted because of lamefilter)
Re:Who's this? (Score:1, Informative)
Digitally sign your sources... (Score:5, Informative)
Many think that a simple md5sum alongside the sources is enough. IT IS NOT. Any attacker who replaces the sources can as easily replace the md5sum, which can be generated by anyone.
A digital signature (I suggest using gpg) can only be generated by YOU if you keep it in a secure place, and use it to sign the sources. The public side of this key should be widely distributed and preferably signed (that is recognized) by third parties... the most trustworthy these third parties can be, the better.
After the huge attack on the network where such sites as Apache were hosted, other Apache projects which did not sign their packages suddenly started signing them. They got scared. You should be too.
A lot of people instinctively trust their dns resolutions (oops) and also think that if they go to http://www.mozilla.org they will get their favorite browser for sure. They are also wrong. dns can be spoofed under certain conditions, so they could be going to crackersR.us instead, and downloading a neat trojaned source, for instance.
The more a project grows in fame, the more it will become a likely target for these kinds of attacks, so the more need to a degree of responsability that should not be needed, but it unfourtunately is since the danger is ubiquitous.
Be carefull, be very carefull.
Also avoid using user root period.
Re:Who's this? (Score:5, Informative)
Yes, someone has most likely compromised the box and is using it for the backdoor. However, the owners of the box are still responsible for the lack of security that allowed their box to be compromised.
Re:GNU/Linux needs signed downloads (Score:3, Informative)
Re:XSS in Slashcode (Score:4, Informative)
Re:It's Odd (Score:3, Informative)
This makes one wonder a question that would be best posed to the community; the purpose of MD5/SHA/etc is to provide unequivocal evidence as to the validity of a piece of data. More often than not, such files are kept in the same, vulnerable, location as the actual data. Clearly one can see the downfall of such a system.
(source [google.com])
Re:The name.... (Score:3, Informative)
It's not really that much of an issue. It would be trivial to go into the BitchX source code, edit the PROGNAME definition, or whatever the equivilent, and make yourself a nice new IRC client named whatever you want.
Yes it is. Unless they've made major changes to the code recently. I tried to patching the code base about a year ago and make a censored version, but the program name is hardcoded in a million places. And once you do find and replace everything, you still have the problem of creating a new patch everytime a new version is released.
-Brent
GNU/Linux HAS signed downloads (Score:3, Informative)
Dpkg also recently added GPG support, buy you have to trust individuals rather than a specific company - no packager is going to lose their job if they're working in Albania on Debian trojaning packages.