[ISN] Download Sites Hacked, Source Code Backdoored

From: InfoSec News (isnat_private)
Date: Tue Jun 04 2002 - 01:37:10 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - June 3rd 2002"

    http://online.securityfocus.com/news/462
    
    By Brian McWilliams 
    Jun 3 2002 4:37PM
    
    When source code to a relatively obscure, Unix-based Internet relay
    chat (IRC) client was reported to be "backdoored" last month, security
    professionals collectively yawned.
    
    But last week, when three popular network security programs were
    reported to be similarly compromised, security experts sat up and took
    notice.
    
    Now, it appears that the two hacking incidents may have been related.
    
    According to program developer Dug Song, the source code to the
    Dsniff, Fragroute, and Fragrouter security tools was contaminated on
    May 17th after an attacker gained unauthorized access to his site,
    Monkey.org.
    
    In an interview today, Song said affected users are being contacted,
    but he declined to provide details of the site compromise, citing an
    ongoing investigation.
    
    When installed on a Unix-based machine, the modified programs open a
    backdoor accessible to a remote server hosted by RCN Corporation,
    according to an excerpt of the contaminated Fragroute program posted
    Friday to Bugtraq by Anders Nordby of the Norwegian Unix User Group.
    
    In another posting to the Bugtraq mailing list last Friday, Song
    reported that nearly 2,000 copies of the booby-trapped security
    programs were downloaded by unsuspecting Internet users before the
    malicious code was discovered May 24th. Only 800 of the downloads were
    from Unix-based machines, according to Song.
    
    Song's subsequent Bugtraq message said that intruders planted the
    contaminated code at Monkey.org after successfully penetrating a
    machine operated by one of the site's administrators. The attackers
    exploited "client-side hole that produced a shell to one of the local
    admin's accounts," wrote Song in his message.
    
    The exploit code planted at Monkey.org was nearly identical to a
    backdoor program that was recently slipped by attackers into the
    source code of the Irssi IRC chat client for Unix.
    
    According to a notice posted May 25th at Irssi.org, someone "cracked"  
    the distribution site for the IRC program in mid-March and altered a
    configuration script to include the back door.
    
    New Precautions Implemented
    
    Installing the compromised Irssi program provided a remote server
    hosted by FastQ Communications with full shell access to the target
    machine, said the notice. Irssi's developer, Timo Sirainen, was not
    immediately available for comment.
    
    Today, the Web server at the Internet protocol address listed in the
    backdoored Irssi code returned the message: "All your base are belong
    to us."
    
    Meanwhile, Unknown.nu, the collocated server listed in the backdoored
    Monkey.org code, today displayed the home of the Niuean Pop Cultural
    Archive.
    
    When contacted by SecurityFocus Online, the site's administrator, Kim
    Scarborough, said he was unaware that the machine had been used by the
    Monkey.org remote exploit.
    
    Scarborough reported that he completely reinstalled the server's
    system software, including the FreeBSD operating system, on May 30th
    after discovering evidence that someone had hacked into it.
    
    According to Scarborough, he had installed the Irssi chat client on
    the machine around May 17th at the request of a user.
    
    The two security incidents have forced authors of the affected
    programs to implement new measures to insure the authenticity of their
    downloadable code.
    
    According to a page at Irssi describing the backdoor, new releases
    will be signed with the GPG encryption tool, and the author will
    periodically review the programs for changes.
    
    Song said that Monkey.org has implemented technology to restrict user
    sessions, and that he is considering adding digital signatures to
    software distributed at the site.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 04:45:18 PDT