RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored

[Hank Leininger <hlein () metasecuritygroup com>]

On Mon, 1 Jul 2002, Nelson Brito wrote:

> Ok, I've tried to download this backdoor version of BitchX from its
> official WEB Site (a.k.a. www.bitchx.[com|org], but it looks like a
> repaired or rescued version.

This doesn't surprise me--see the description in our earlier mail about
the odd behavior of the FTP server, how depending on your ISP / client /
phase of the moon, you'd get the safe or the tainted version.  We had a
few people (Chris Wysopal of @Stake/Vulnwatch, Dave Ahmad of
Securityfocus) verify that they could pull backdoored copies this
morning, before releasing the advisory.

> I've downloaded BitchX from the official WEB Site some days ago and I
> saw that the file is okay (the configure's MD5 is good, as well
> ircii-pana-1.0c19), it's a genuine BitchX.

That's good, perhaps the trojan'ed copy was not there for long.  Or,
perhaps when you pulled it earlier you just happened to get a safe copy
:(

In the meantime, it looks like the service and/or box have been
temporarily taken offline: DNS A records for (www|ftp).bitchx.(org|com)
seem to have been pulled, and the IP formerly hosting those sites is no
longer listening for FTP or HTTP.  I'd expect the BitchX folks are busy
right now but will issue some statement once they've got things settled
down.

Thanks,

Hank Leininger <hlein () metasecuritygroup com>
0C08 435C 26A9 951E 6DAD  8199 C7A7 4005 1954 F635


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com