Bugtraq mailing list archives
BitchX trojan, the real follow up.
From: Rob Andrews <randrews () relinetworks com>
Date: 15 Apr 2003 01:44:36 -0000
Since Micha didn't take the time to post this email after it was passed along to himself and others on one of EFnet's oper lists I submit the following to explain what really happened to the BitchX website and DNS over the weekend. I also would like to point out that in the future I may be contacted directly concerning any matters such as these as I am involved with nearly every person currently involved in the development and distribution of the source code. I should point out that since I maintain the FTP site, people should know that the FTP site does not reside on the same systems as the web and dns for bitchx.org. If in doubt at any time we have posted information on http://faq.bitchx.org which tells users how to verify source and what the legitimate IP addresses for the current FTP servers are. All current (except for CVS snapshot source code) source and binaries have been signed by me. This information is available on the FAQ website as well. ---- Message as forwarded to all parties involved ---- Over the weekend the DNS for bitchx.org was directly changed by someone who exploited a machine at 207.178.61.5 aka smtp1.wia.com and was releasing source for ircii-pana-1.0c19.tar.gz which included in the configure script this: sa.sin_addr.s_addr = inet_addr ("207.178.61.5"); Previously the DNS was poisoned to cause users to download from what would normally appear to be a legitimate FTP site. However in this case we believe after contacting one of the admins for the machines that hosts the DNS for BitchX.org that the actual machine itself may have been compromised since the physical URL pointer on the website was pointed to ftp2.bitchx.org which goes to the previously mentioned IP address. We have taken action to correct the website and the DNS is being handled. The machine at wia.com however is still compromised and has distributed a number of copies of the compromised source code. I have called the NOC at accretive-networks.net and notified them of the machine in question. As soon as I am able to I will post a notice to the proper mailing lists that have covered this issue and address them directly so as to prevent this sort of thing from happening in the future without our being notified any sooner than we were later Saturday evening. Thanks, Robert Andrews President RELI Networks, Inc. Atlanta, GA. randrews () relinetworks com -- Followup: X-Authentication-Warning: grmpa.com: www set sender to stevenb () wolfe net using -f Date: Mon, 14 Apr 2003 10:10:04 -0700 From: Steve Breeden <stevenb () wolfe net> To: "" <noc () accretive-networks net> Cc: "" <randrews () relinetworks com> Subject: Re: [ACCR-NETOPS #33425] over the weekend.... (fwd) User-Agent: Internet Messaging Program (IMP) 3.2.1 / FreeBSD-5.0 This machine (207.178.61.5) was taken offline Saturday evening and replaced. It is no longer compromised as stated below. Quoting Accretive Networks Abuse Department <noc () accretive-networks net>:
Mon Apr 14 09:55:29 2003: Request 33425 was acted upon. Transaction: Ticket created by abuse () accretive-networks net Queue: noc Subject: over the weekend.... (fwd) Owner: Nobody Requestors: abuse () accretive-networks net Status: new Ticket <URL: http://tracker.accretive-networks.net/Ticket/Display.html?id=33425 > ------------------------------------------------------------------------- In case you didn't see this. Accretive Networks Abuse Dept. http://www.accretive-networks.net/
-- Steve Breeden support () wolfe net Support Engineer Accretive Networks P.206.443.6401 ext 204 F.206.269.0188 For DNS requests: dns-admin () accretive-networks net For Hosting-support: hosting-support () accretive-networks net
Current thread:
- BitchX trojan, the real follow up. Rob Andrews (Apr 15)