[29778] in bugtraq
bitchx sources trojaned - follow up
daemon@ATHENA.MIT.EDU (=?iso-8859-2?Q?Micha=B3_Szwaczko?=)
Mon Apr 14 19:09:25 2003
Date: Mon, 14 Apr 2003 22:17:26 +0200
From: =?iso-8859-2?Q?Micha=B3_Szwaczko?= <mikey@wirelabs.lublin.pl>
To: bugtraq@securityfocus.com
Message-ID: <20030414221726.A1037@matrix>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
It seems that my posts have been misfired a little.
Let me summarize how,when and why I got trojaned sources
Since I am not a security guru whatsoever I couldn't know that this
issue is already known. Anyway, it did happen to me this Saturday
so there is a possibility that something weird is lingering at ftp.bitchx.org
or its DNS servers.
So,
I fired up www.bitchx.org Saturday 13.04.2003 about 22:00 local time.
I went to download.php and checked the URL for source tarball.
I wget'ted that URL - on saturday it showed:
ftp://ftp2.bitchx.org/pub/BitchX/source/ircii-pana-1.0c19.tar.gz
(I double-checked wget command line that I issued)
I archived the said file,it's MD5 checksum is:
sh> md5sum ircii-pana-1.0c19.tar.gz
927163e0466884b2771ae769e5c775d0 ircii-pana-1.0c19.tar.gz
I started ./configure script and noticed outbound connections to port 6667.
They were firewall-blocked anyway and that's why they really caught my eye.
Otherwise, I probably wouldn't have noticed them and perhaps would not have
bothered.
So,I inspected ./configure and found the piece of code I was sending to the list.
All I was asking for was to verify that this was a backdoor, since I really
didn't know about it and it looked like one (at least my C knowledge said so)
(well I heard about irssi 'patched' that way)
My impression after all your posts saying that the bitchx.org sources are OK
is that on Saturday two things could have happened.
- some sort of dns spoofing which fooled wget to fetch 'bad' tarball
(notice I was downloading from ftp_2_.bitchx.org)
- modified webpage showing 'wrong' URL
I am 100% sure that I was getting the URL from the official www.bitchx.org.
So what do you think?
ps. I am not doing all this just to get bugtraq'ed ;-) I just thought
there's something weird lurking around at www.bitchx.org. I am not a
security inspector/advisor nor do I have sufficient knowledge so I decided
to discuss it here.
Regards
--
Micha³ 'Mikey' Szwaczko
Developer/Troubleshooter
gcc is really a compressor - it gets 100M of kernel sources down to 700k.
