Linux Trojan Goes Unnoticed For A Year

[iLOVENZB]

Linux Trojan Goes Unnoticed For A Year
13 June, 2010

This is very embarrassing...We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it. This backdoor allows a person to execute ANY command with the privileges of he user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in). [...] It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.

UnrealIRCd=IRC Server

Source: Linux Trojan Goes Unnoticed For A Year (Unreal IRCd)

[darkstate01]

I would have thought they would have used a md5 hash so you/they could check against the real/original 1 to make sure it was what the site was letting people d/l.
Such a program should always have a md5 hash to check against.
Laziness i guess.
Unreal ircd was great many years ago when i started my irc network.

[backie]

I am pretty sure they did, it's just noone really does hash checks and it seems their mirrors didn't run hash checks on a regualar basis.

Anyways, I know of at least one tracker/torrent ircd vuln to the backdoor.

[darkstate01]

An ircd is the most important program in the network as everyone connects to it, I'm shocked that such an important program wouldn't have been checked initially by the admin who installed it to start with.
Brought back some good memories of the good ole days of mirc and irc, I go back there now and again to whats going on.

[backie]

IRC is one of the least important services on a network. I am gonna be more worried about mysql/apache/php/my code than I am of unreal being backdoored. Reason most people don't check (I didn't when I installed the backdoored version) is simple, we trust the source. It's very rare for shit to get backdoored and not be noticed. Let's not forget that more than 3/4 the people running unrealircd aren't actual admins or have any real server skills. Also the backdoor isn't that major, it allows people to execute any command, so worse case is everyone gets glined off the network or something silly like that.

[darkstate01]

I meant if you are setting up purely a irc network, not a website etc.
I totally agree with what you say about securing php/mysql etc thats the first thing you would do, If you do have a ircd running you need to make sure its totally secure and not stick it on a back burner as if its a trivial program, If you do take that approach you will come unstuck very quickly with botnets over running your bandwidth.
It was an early lesson i learnt in the early days of the net.
Today it still a wild jungle on there with filesharing of all kinds,but at the same time its a great resource for channels of help for every subject known to man.
This was the email unreal has just sent to its members today.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all,
After receiving many questions of what we are doing with regards to the hack incident, here's my reply:
First, we now PGP/GPG sign releases. Our GPG key is [email protected] (0x9FF03937).
When downloading UnrealIRCd you will be given instructions on how to verify the integrity of the file.
Second, we're now isolating/shielding the main site from the rest, and making parts unmodifiable, to prevent catastrophes in case of a break-in.
Third, we added several methods of detection when files and other data is modified.
Fourth, we'll only serve the files from the main site for now. While the mirror admins did not have any blame in this, it does mean we only have to protect our own site(s).
And finally we did some other things which I won't mention here. In short: we've really tightened security since the break-in to make sure this will never ever happen again. As you may understand, we really can't afford a repeat of this incident.
On an unrelated side note, I find the claims in various media that this security incident indicates that Linux and Open Source cannot be trusted and that Microsoft and closed-software is better really silly. It lacks any foundation. A hacker, once in, could just as easily have inserted the backdoor in Windows software. In fact, it is *THANKS* to it being Open Source that this backdoor got noticed, though - I fully agree - much too late.
- -- Bram Matthys Software developer/IT consultant
[email protected] PGP key: www.vulnscan.org/pubkey.asc PGP fp: BBBC E14E 3D9B 3655 7BE1 24A0 E3A8 A873 9DF4 E5AF -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFMFosK46ioc5305a8RAmDEAKDTuw29yKIBaX5d0ps8HZWh+SZ11ACgwEES 3YAEvVlHmpWtxDSMHlbpvyI= =1guj -----END PGP SIGNATURE-----

[its]

Ouch! Thats gotta suck.