BitchX backdoor?

[problemchild]

Just a friendly heads up... this information arrived in my inbox tonight courtesy of Bugtraq. Is it just me, or is all this source trojaning getting really out of hand?

Over the weekend the DNS for bitchx.org was directly changed by someone who
exploited a machine at 207.178.61.5 aka smtp1.wia.com and was releasing
source for ircii-pana-1.0c19.tar.gz which included in the configure script
this:

sa.sin_addr.s_addr = inet_addr ("207.178.61.5");

Previously the DNS was poisoned to cause users to download from what would
normally appear to be a legitimate FTP site. However in this case we
believe after contacting one of the admins for the machines that hosts the
DNS for BitchX.org that the actual machine itself may have been compromised
since the physical URL pointer on the website was pointed to
ftp2.bitchx.org which goes to the previously mentioned IP address.

We have taken action to correct the website and the DNS is being handled.
The machine at wia.com however is still compromised and has distributed a
number of copies of the compromised source code.

I have called the NOC at accretive-networks.net and notified them of the
machine in question. As soon as I am able to I will post a notice to the
proper mailing lists that have covered this issue and address them directly
so as to prevent this sort of thing from happening in the future without
our being notified any sooner than we were later Saturday evening.


Thanks,


Robert Andrews
President
RELI Networks, Inc.
Atlanta, GA.
[email protected]

[MrLinus]

Isn't part of it the issue of security of the website/ftp site where things are downloaded? Checking the MD5 should help ensure that things are legit, assuming the attacker hasn't changed that as well. People are getting a little lazy about updating and checking. They do it after each attack and then forget to check again for new patches/updates.

It's that one element that will always be hard to control: the human one.

IMHO, all you can do is uninstall the problem software, run a check on your machine and be constantly vigilant.

[problemchild]

It just seems like before the OpenBSD/ssh trojan a year or so ago, I never really heard about any source code being trojaned like that. Now I see a message like this every couple of weeks in my Bugtraq mailbox. I don't know if it's always been going on and I just didn't hear about it, or if there has really been an explosion in it, but as I said, it just seems to be getting out of hand.

I'm all for checking md5sums, but I'm not sure how that would protect me from some of the attacks that are happening now. If it was just a matter of a compromised FTP server, then I would agree. But if someone poisons the DNS so that if I ftp to ftp.bitchx.org and get resolved to a server in southeast Asia with trojaned source and MD5, how am I to know that I'm not on the real bitchx server? I also seem to recall a while back a trojaned package (can't remember the app, sorry) that was publicly released by the attacker as an updated version and was actually picked up by several legitimate distrubution channels before the backdoor was discovered.

And sure, you can uninstall it once the problem is discovered or catch the next update, but if it has already opened backdoors all over your network, the damage is done. You've fixed the barn door after the horse is gone.