RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored

From: Nelson Brito (nelsonat_private)
Date: Mon Jul 01 2002 - 13:53:38 PDT

  • Next message: Hank Leininger: "RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored"

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Ok, I've tried to download this backdoor version of BitchX from its official
    WEB
    Site (a.k.a. www.bitchx.[com|org], but it looks like a repaired or rescued
    version.
    
    I've downloaded BitchX from the official WEB Site some days ago and I saw
    that
    the file is okay (the configure's MD5 is good, as well ircii-pana-1.0c19),
    it's
    a genuine BitchX.
    
    Here some statements:
    pitbull:~# ls -l
    total 2512
    drwxrwxr-x   12 500      500          4096 Mar 25 18:46 BitchX
    - -rw-r--r--    1 root     root      2533621 Jun 21 17:02
    ircii-pana-1.0c19.tar.gz 
    drwxr-xr-x    2 root     root         4096 Jun 24 16:14 MP3z
    pitbull:~# md5sum BitchX/configure
    0bd531d523606a0296da2763dafa51f2  BitchX/configure
    pitbull:~# grep conftest.c BitchX/configure
    pitbull:~# md5sum ircii-pana-1.0c19.tar.gz
    79431ff0880e7317049045981fac8adc  ircii-pana-1.0c19.tar.gz
    pitbull:~# ls -l /usr/bin/BitchX
    lrwxrwxrwx    1 root     root           22 Jun 21 17:13 /usr/bin/BitchX ->
    /usr/bin/BitchX-1.0c19
    pitbull:~#
    
    It was downloaded on Jun-21-2002. So...
    
    Reach your own conclusions.
    
    Sem mais.
    - --
    Nelson Brito
    
    - -----Original Message-----
    From: Hank Leininger [mailto:hleinat_private]
    Sent: Monday, July 01, 2002 12:43 PM
    To: vulnwatchat_private; bugtraqat_private;
    incidentsat_private; bitchxat_private
    Cc: Mark Canter; Joe Segreti
    Subject: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored
    
    
    A few hours ago (1 AM US/Eastern time, July 1) we downloaded 
    ircii-pana-1.0c19.tar.gz from ftp.bitchx.com (216.165.191.5) and 
    reviewed the configure script before running it. It has essentially 
    the same configure backdoor as fragroute-1.2.tar.gz[1] -- a TCP 
    connection is made outbound, with a shell bound to it (a reverse 
    telnet).  This appears to retry/respawn once per hour.  The 1.0c19 
    tarball at ftp.irc.org (which mirrors bitchx.com) did not appear to be 
    trojaned when we pulled from there about an hour later. 
    [... cuted ...]
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0
    Comment: Public Key available under request!
    
    iQA/AwUBPSDBUa47KL3WGrhzEQJHgQCg5OKaOykZPOa5HEvQCa+bgN6dmAQAn36p
    L0SClDSEF6fUSZ4NppquYXHd
    =9x7G
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 09:09:37 PDT