RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored

From: Hank Leininger (hleinat_private)
Date: Mon Jul 01 2002 - 19:54:45 PDT

  • Next message: Mike Lewinski: "Re: OpenSSH Attack?"

    On Mon, 1 Jul 2002, Nelson Brito wrote:
    
    > Ok, I've tried to download this backdoor version of BitchX from its
    > official WEB Site (a.k.a. www.bitchx.[com|org], but it looks like a
    > repaired or rescued version.
    
    This doesn't surprise me--see the description in our earlier mail about
    the odd behavior of the FTP server, how depending on your ISP / client /
    phase of the moon, you'd get the safe or the tainted version.  We had a
    few people (Chris Wysopal of @Stake/Vulnwatch, Dave Ahmad of
    Securityfocus) verify that they could pull backdoored copies this
    morning, before releasing the advisory.
    
    > I've downloaded BitchX from the official WEB Site some days ago and I
    > saw that the file is okay (the configure's MD5 is good, as well
    > ircii-pana-1.0c19), it's a genuine BitchX.
    
    That's good, perhaps the trojan'ed copy was not there for long.  Or,
    perhaps when you pulled it earlier you just happened to get a safe copy
    :(
    
    In the meantime, it looks like the service and/or box have been
    temporarily taken offline: DNS A records for (www|ftp).bitchx.(org|com)
    seem to have been pulled, and the IP formerly hosting those sites is no
    longer listening for FTP or HTTP.  I'd expect the BitchX folks are busy
    right now but will issue some statement once they've got things settled
    down.
    
    Thanks,
    
    Hank Leininger <hleinat_private>
    0C08 435C 26A9 951E 6DAD  8199 C7A7 4005 1954 F635
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 09:22:15 PDT