Results 1 to 3 of 3

Thread: BitchX backdoor?

  1. #1
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002

    Angry BitchX backdoor?

    Just a friendly heads up... this information arrived in my inbox tonight courtesy of Bugtraq. Is it just me, or is all this source trojaning getting really out of hand?
    Over the weekend the DNS for bitchx.org was directly changed by someone who
    exploited a machine at aka smtp1.wia.com and was releasing
    source for ircii-pana-1.0c19.tar.gz which included in the configure script

    sa.sin_addr.s_addr = inet_addr ("");

    Previously the DNS was poisoned to cause users to download from what would
    normally appear to be a legitimate FTP site. However in this case we
    believe after contacting one of the admins for the machines that hosts the
    DNS for BitchX.org that the actual machine itself may have been compromised
    since the physical URL pointer on the website was pointed to
    ftp2.bitchx.org which goes to the previously mentioned IP address.

    We have taken action to correct the website and the DNS is being handled.
    The machine at wia.com however is still compromised and has distributed a
    number of copies of the compromised source code.

    I have called the NOC at accretive-networks.net and notified them of the
    machine in question. As soon as I am able to I will post a notice to the
    proper mailing lists that have covered this issue and address them directly
    so as to prevent this sort of thing from happening in the future without
    our being notified any sooner than we were later Saturday evening.


    Robert Andrews
    RELI Networks, Inc.
    Atlanta, GA.
    Do what you want with the girl, but leave me alone!

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Redondo Beach, CA
    Isn't part of it the issue of security of the website/ftp site where things are downloaded? Checking the MD5 should help ensure that things are legit, assuming the attacker hasn't changed that as well. People are getting a little lazy about updating and checking. They do it after each attack and then forget to check again for new patches/updates.

    It's that one element that will always be hard to control: the human one.

    IMHO, all you can do is uninstall the problem software, run a check on your machine and be constantly vigilant.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    It just seems like before the OpenBSD/ssh trojan a year or so ago, I never really heard about any source code being trojaned like that. Now I see a message like this every couple of weeks in my Bugtraq mailbox. I don't know if it's always been going on and I just didn't hear about it, or if there has really been an explosion in it, but as I said, it just seems to be getting out of hand.

    I'm all for checking md5sums, but I'm not sure how that would protect me from some of the attacks that are happening now. If it was just a matter of a compromised FTP server, then I would agree. But if someone poisons the DNS so that if I ftp to ftp.bitchx.org and get resolved to a server in southeast Asia with trojaned source and MD5, how am I to know that I'm not on the real bitchx server? I also seem to recall a while back a trojaned package (can't remember the app, sorry) that was publicly released by the attacker as an updated version and was actually picked up by several legitimate distrubution channels before the backdoor was discovered.

    And sure, you can uninstall it once the problem is discovered or catch the next update, but if it has already opened backdoors all over your network, the damage is done. You've fixed the barn door after the horse is gone.
    Do what you want with the girl, but leave me alone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts