RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored

From: Nelson Brito (nelsonat_private)
Date: Mon Jul 01 2002 - 13:53:38 PDT

Next message: Hank Leininger: "RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored"

Previous message: Bill McCarty: "Re: OpenSSH Attack?"
Maybe in reply to: Hank Leininger: "ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored"
Next in thread: Hank Leininger: "RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored"
Reply: Hank Leininger: "RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, I've tried to download this backdoor version of BitchX from its official
WEB
Site (a.k.a. www.bitchx.[com|org], but it looks like a repaired or rescued
version.

I've downloaded BitchX from the official WEB Site some days ago and I saw
that
the file is okay (the configure's MD5 is good, as well ircii-pana-1.0c19),
it's
a genuine BitchX.

Here some statements:
pitbull:~# ls -l
total 2512
drwxrwxr-x   12 500      500          4096 Mar 25 18:46 BitchX
- -rw-r--r--    1 root     root      2533621 Jun 21 17:02
ircii-pana-1.0c19.tar.gz 
drwxr-xr-x    2 root     root         4096 Jun 24 16:14 MP3z
pitbull:~# md5sum BitchX/configure
0bd531d523606a0296da2763dafa51f2  BitchX/configure
pitbull:~# grep conftest.c BitchX/configure
pitbull:~# md5sum ircii-pana-1.0c19.tar.gz
79431ff0880e7317049045981fac8adc  ircii-pana-1.0c19.tar.gz
pitbull:~# ls -l /usr/bin/BitchX
lrwxrwxrwx    1 root     root           22 Jun 21 17:13 /usr/bin/BitchX ->
/usr/bin/BitchX-1.0c19
pitbull:~#

It was downloaded on Jun-21-2002. So...

Reach your own conclusions.

Sem mais.
- --
Nelson Brito

- -----Original Message-----
From: Hank Leininger [mailto:hleinat_private]
Sent: Monday, July 01, 2002 12:43 PM
To: vulnwatchat_private; bugtraqat_private;
incidentsat_private; bitchxat_private
Cc: Mark Canter; Joe Segreti
Subject: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored


A few hours ago (1 AM US/Eastern time, July 1) we downloaded 
ircii-pana-1.0c19.tar.gz from ftp.bitchx.com (216.165.191.5) and 
reviewed the configure script before running it. It has essentially 
the same configure backdoor as fragroute-1.2.tar.gz[1] -- a TCP 
connection is made outbound, with a shell bound to it (a reverse 
telnet).  This appears to retry/respawn once per hour.  The 1.0c19 
tarball at ftp.irc.org (which mirrors bitchx.com) did not appear to be 
trojaned when we pulled from there about an hour later. 
[... cuted ...]

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
Comment: Public Key available under request!

iQA/AwUBPSDBUa47KL3WGrhzEQJHgQCg5OKaOykZPOa5HEvQCa+bgN6dmAQAn36p
L0SClDSEF6fUSZ4NppquYXHd
=9x7G
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Hank Leininger: "RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored"
Previous message: Bill McCarty: "Re: OpenSSH Attack?"
Maybe in reply to: Hank Leininger: "ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored"
Next in thread: Hank Leininger: "RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored"
Reply: Hank Leininger: "RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 09:09:37 PDT