BitchX 1.0c19 IRC Client Backdoored

JRAC writes "A recent Bugtraq submission has indicated that the popular IRC client, BitchX, contains a backdoor. So far, only certain 1.0c19 files, downloaded from ftp.bitchx.com are reported to contain the malicious code. The BitchX developers have been notified, so hopefully a fix will be issued soon. Looks like irssi wasn't the only one ;)"

The name....

[wowbagger]

Am I the only one who felt a qualm about using this package because of the name?

BitchX - "I 0NZ0R J00, B1TCH!"

Most interesting...

[phreak404]

Is that when the vulnerability was first submitted they also submitted some interesting finds about the ftp server on BitchX.com serving trojaned and clean versions, depending on the originating IP, demonstrating that the server had been 0wned (more than likely).

Sad that the developers didn't notice sooner, and it makes you wonder how many boxes have now additionally been 0wned because of this.

It's Odd

[Copperhead]

According to the bugtraq post, when you downloaded the file, sometimes you received the backdoored version, and other times you didn't.

From the post, "There is something very strange going on with the FTP server on ftp.bitchx.org. In some cases, it serves up the trojaned version; in others, the original, safe version. It seems to be client / client-behavior based (we're not sure exactly what)."

The post continues, "To add a little more to this; we've confirmed that if you come off of what appears to be a cablemodem/dsl IP you are likely to get a trojan'd copy. If you come off of a more static link, you are likely to get a clean copy."

Very strange.

Re:XSS in Slashcode

[Jester998]

Hey... nice "copy and paste" from the BugTraq posting...
----- BEGIN BugTraq POST -----

Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsu bscribe: <mailto:bugtraq-unsubscribe@securityfocus.com&g t;
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Deli vered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31935 invoked from network); 2 Jul 2002 08:55:04 -0000
Message-ID: <20020702085626.305.qmail@web21002.mail.yahoo.c om>
Date: Tue, 2 Jul 2002 01:56:26 -0700 (PDT)
From: gcsb <gcsbnz@yahoo.com>
Subject: XSS in Slashcode
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-UIDL: "[K!!WR\"!nkN"!NSF"!

There is a nasty Cross Site Scripting(XSS) vuln in
Slashcode. This was used a day or so go on
slashdot.org and resulted in most of the site being
taken down for an hour or so. The maintainers of
slashcode have patched the problem in CVS but have not
even mentioned it anywhere that I can find. This
leaves all sites using slash vulnerable to this
exploit.

An example exploit (incomplete) is as follows:

<p &gt; onMouseOver..insert javascript here...>

I am dissapointed that the slachcode maintainers have
silently fixed this on slashdot.org yet made no
mention of the problem elsewhere so that other sites
can patch themselves. No wonder there are so many
"trolls" on slashdot.org...ah well.

If you run a site using slashcode, get the latest CVS.

That is all. Move along.

________________________________________________ __
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

----- END BugTraq POSTING -----

You didn't even reformat the exploit code so that it showed up properly... sheesh.

- Jester

Backdoor.

[ldopa1]

Is this truly suprising? With the proliferation of "secret" functionality in everything from DVD's [dvdeastereggs.com] to Palm applications [palmlife.com], it seems that a lot of developers take great delight in doing something "on the sly" that will get them noticed.

While the vast majority of these "easter eggs" are completely harmless, it's only logical to assume that they present an opportunity for malicous activities. I mean, who among us doesn't have SOME "H4X0R" history? Doesn't it follow that some of that will come out when the opportunity to put in a "gift" presents itself?

Also, this seems to me to be one of the down sides of the Open Source fight. Most of the accomplished hackers that I know are strong advocates of Open Source. It leads me to believe that most of the proponents of Open Source are or were at some time at least a script kiddie with delusions of grandeur.

Nobody I know has the time to actually check every line of code in a 200 Meg build for one or two lines of backdoor code, especially when the application is DESIGNED to make and break connections.

Re:Backdoor.

[numatrix]

This was not the developers doing something sly. There have been a recent rash of compromised servers hosting different pieces of software, and then backdoors being configured in a similar manner in the ./configure script as described in this post. Similarly hit was monkey.org [monkey.org] where some of dug song's security tools were compromised. Google cache of dug's post [216.239.37.100].

There was another relatively famous piece of software compromised the same way recently as well. Somebody is going through some great lengths to put backdoors in the source of some good OSS. Makes you wonder how much is being missed.

HA HA HA HA HA

[Anonymous Coward]

. . .What separates Irssi from ircII, BitchX, epic and the rest text clients? The code. I'm not using the crappy ugly kludgy code of ircII. Non-developers don't probably care that much about it, but that means a few good things anyway:

Security - I'm quite confident that there's no security bugs in Irssi. No buffer overflows, no format bugs (%s%s%s), no remote exploits, nothing.

Modularity - Irssi is highly extensible, you could change almost anything in Irssi with a runtime loadable module. And you can probably change anything you actually need to change with a Perl script.

Open source only?

[EvilFrog]

The naming thing isn't necessarily an open source issue, more of a "started by one guy working out of his house who's got a messed up sense of humor and is giving the software away for free so he doesn't have to worry about sales" issue. The same thing comes up whether it's open or closed.

The popular emulator Dos/Windows "Nesticle" comes to mind.

Re:The name....

[realdpk]

perl -pi -e 's/bitchx/FamilyFunX/' `find . -type f -print`

I'd think any average user could cut and paste that. :) Of course, changing BitchX to FamilyFunX won't change the fact that IRC is not meant for children, and that you should not let children on IRC AT ALL* if you're concerned about them seeing the word "Bitch". They'll see much worse.

* Of course, you shouldn't let them on IRC or any other chat without supervision, but y'all knew that.

Re:The name....

[frozenray]

>Unfortunately, at least in this part of the world, mingetty really is rather rude if you parse it right (ie wrong). And it is rather widespread in Linux distros.

It's difficult to find a name that doesn't have negative connotations in some language spoken around the world, as many product managers have unwittingly discovered [snopes2.com]. Big businesses employ branding agencies to help them find good brand and product names, Open Source advocates can't afford the exhorbitant fees they demand (and then they come up with names like "Opteron", gack).

Regarding "mingetty": in Swiss German (at least in the dialects spoken in the eastern parts of Switzerland) it's understood as "My godfather" if pronounced the right way. :-)