Security Incidents mailing list archives

RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored

From: Nelson Brito <nelson () wwsecurity net>
Date: Mon, 1 Jul 2002 16:53:38 -0400

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, I've tried to download this backdoor version of BitchX from its official
WEB
Site (a.k.a. www.bitchx.[com|org], but it looks like a repaired or rescued
version.

I've downloaded BitchX from the official WEB Site some days ago and I saw
that
the file is okay (the configure's MD5 is good, as well ircii-pana-1.0c19),
it's
a genuine BitchX.

Here some statements:
pitbull:~# ls -l
total 2512
drwxrwxr-x   12 500      500          4096 Mar 25 18:46 BitchX
- -rw-r--r--    1 root     root      2533621 Jun 21 17:02
ircii-pana-1.0c19.tar.gz 
drwxr-xr-x    2 root     root         4096 Jun 24 16:14 MP3z
pitbull:~# md5sum BitchX/configure
0bd531d523606a0296da2763dafa51f2  BitchX/configure
pitbull:~# grep conftest.c BitchX/configure
pitbull:~# md5sum ircii-pana-1.0c19.tar.gz
79431ff0880e7317049045981fac8adc  ircii-pana-1.0c19.tar.gz
pitbull:~# ls -l /usr/bin/BitchX
lrwxrwxrwx    1 root     root           22 Jun 21 17:13 /usr/bin/BitchX ->
/usr/bin/BitchX-1.0c19
pitbull:~#

It was downloaded on Jun-21-2002. So...

Reach your own conclusions.

Sem mais.
- --
Nelson Brito

- -----Original Message-----
From: Hank Leininger [mailto:hlein () metasecuritygroup com]
Sent: Monday, July 01, 2002 12:43 PM
To: vulnwatch () vulnwatch org; bugtraq () securityfocus com;
incidents () securityfocus com; bitchx () lists bitchx com
Cc: Mark Canter; Joe Segreti
Subject: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored


A few hours ago (1 AM US/Eastern time, July 1) we downloaded 
ircii-pana-1.0c19.tar.gz from ftp.bitchx.com (216.165.191.5) and 
reviewed the configure script before running it. It has essentially 
the same configure backdoor as fragroute-1.2.tar.gz[1] -- a TCP 
connection is made outbound, with a shell bound to it (a reverse 
telnet).  This appears to retry/respawn once per hour.  The 1.0c19 
tarball at ftp.irc.org (which mirrors bitchx.com) did not appear to be 
trojaned when we pulled from there about an hour later. 
[... cuted ...]

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
Comment: Public Key available under request!

iQA/AwUBPSDBUa47KL3WGrhzEQJHgQCg5OKaOykZPOa5HEvQCa+bgN6dmAQAn36p
L0SClDSEF6fUSZ4NppquYXHd
=9x7G
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored Hank Leininger (Jul 01)
- <Possible follow-ups>
- RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored Nelson Brito (Jul 02)
  - RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored Hank Leininger (Jul 02)