Security Incidents mailing list archives
RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored
From: Hank Leininger <hlein () metasecuritygroup com>
Date: Mon, 1 Jul 2002 22:54:45 -0400 (EDT)
On Mon, 1 Jul 2002, Nelson Brito wrote:
Ok, I've tried to download this backdoor version of BitchX from its official WEB Site (a.k.a. www.bitchx.[com|org], but it looks like a repaired or rescued version.
This doesn't surprise me--see the description in our earlier mail about the odd behavior of the FTP server, how depending on your ISP / client / phase of the moon, you'd get the safe or the tainted version. We had a few people (Chris Wysopal of @Stake/Vulnwatch, Dave Ahmad of Securityfocus) verify that they could pull backdoored copies this morning, before releasing the advisory.
I've downloaded BitchX from the official WEB Site some days ago and I saw that the file is okay (the configure's MD5 is good, as well ircii-pana-1.0c19), it's a genuine BitchX.
That's good, perhaps the trojan'ed copy was not there for long. Or, perhaps when you pulled it earlier you just happened to get a safe copy :( In the meantime, it looks like the service and/or box have been temporarily taken offline: DNS A records for (www|ftp).bitchx.(org|com) seem to have been pulled, and the IP formerly hosting those sites is no longer listening for FTP or HTTP. I'd expect the BitchX folks are busy right now but will issue some statement once they've got things settled down. Thanks, Hank Leininger <hlein () metasecuritygroup com> 0C08 435C 26A9 951E 6DAD 8199 C7A7 4005 1954 F635 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored Hank Leininger (Jul 01)
- <Possible follow-ups>
- RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored Nelson Brito (Jul 02)
- RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored Hank Leininger (Jul 02)