Bugtraq mailing list archives

Re: IRC script trojan with Unix based clients

From: wiseleo () JUNO COM (Leonid S Knyshov)
Date: Sun, 1 Jun 1997 11:20:40 -0700


Well...

This is something that I am rather familiar with :)

As of this moment, the only good sources for ircII scripts are at
ftp://ftp.pimpz.org and ftp://bitchx.htoc.com

You can trust the scripts from there.

Meanwhile, an ircII script can be as powerful as a shell, please check on
http://www.undernet.org the important FAQ file how to detect ircII
backdoors, I believe its also on pimpz.org ftp site.

You might want to hack a client source a bit to disable DCC and/or CTCP
commands. To be safe you can simply rename them adn retain the
functionality.

The source for the clients is widely available on ftp://bitchx.htoc.com
and ftp://ftp.undernet.org

That's all for now, I'll gladly answer your ircII related questions in
private.
***
Leonid Knyshov AKA Wise_One <wiseleo () juno com>
http://kiassociates.com/computerhelp
http://kiassociates.com/computerhelp/personal
For file attachments please use wiseleo () hotmail com and send a note about
it here :)


On Sat, 31 May 1997 01:03:21 +0300 Lista de securitate
<bugtraq () LICJ SOROSCJ RO> writes:

       This is a very strange trojan which affects Unix users (other
OS-es may be affected as well) which use ircII or BitchX to link to
irc
servers. And in my country many system administrators do this. It was
presented on the irc as amusement (how to kick off a listop with no
access
rights) but it may have more serious consequences.

       Some versions of a very popular (at least in romania) irc
script
(Atlantis) are trojan horses which implement new ctcp commands which
allow
other people on the irc world to execute irc commands in your client

INCLUDING    /DCC SEND    AND    /EXEC
(if the client supports them)

Atlantis 1.2b is the best known version of the script and if used
under
ircII (Unix version, Linux tested) The user using these two can have
the
mail read by others. Sample ircII prompt; noob victim, feur intruder:

<feur> /ctcp noob version

Current thread:

Re: IRC script trojan with Unix based clients Leonid S Knyshov (Jun 01)
- Re: IRC script trojan with Unix based clients Roger Espel Llima (Jun 02)
- Re: IRC script trojan with Unix based clients Alan Brown (Jun 02)
- AIX Security APARs Aleph One (Jun 02)
- <Possible follow-ups>
- Re: IRC script trojan with Unix based clients Paul Roberts (Jun 02)