IRC-Junkie.org – IRC News

All about Internet Relay Chat

Some UnrealIRCd 3.2.8.1 downloads trojaned [Update 3]

Syzop of the UnrealIRCd project just posted an announcement on their mailinglist and forums that some versions of their IRCd have been compromised and had a backdoor added which went unnoticed for quite a while.

The first signs of the compromise have been traced back to November 2009 and Syzop writes that “Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check”.

Only the 3.2.8.1 source downloads (.tar.gz) are affected from this hack. Windows users, copies checked out from their CVS as well as users of older versions are safe and don’t need to check – everyone else should ensure they’re running a clean version of UnrealIRCd since the backdoor allows an attacker to issue and execute commands as the user the IRCd is running as, which essentially means your shell could easily compromised despite all other security measures.

Checking if your IRCd is one of those trojanized copies can easily be done either checking with md5sum or grep’ing the source for the backdoored code:

Run ‘md5sum Unreal3.2.8.1.tar.gz’ on it and compare the resulting sum to the checksums below:

Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

or use the command ‘grep DEBUG3_DOLOG_SYSTEM include/struct.h’ from your Unreal3.2 directory – if this outputs 2 lines you’re running the trojanized version and need to get yourself a fresh and clean copy of the IRCd and recompile it since the compromised section is in the IRCds core and “it is not possible to ‘clean’ UnrealIRCd without a restart or through a module”.

Syzop writes that they have take precautions so such a compromise can never happen again and if it does that it’ll be noticed more quickly. They’re also planning to reimplement PGP/GPG signing of the releases which “in practice (very) few people use” but “still [will] be useful for those people who do”.

Closing his announcement he writes that he’d like to “apologize about this security breach. We simply did not notice, but should have. We did not check the files on all mirrors regularly, but should have. We did not sign releases through PGP/GPG, but should have done so. Hope you’ll all continue to support UnrealIRCd”.

The full announcement can be read here and the advisory can be found here.

[Update]: Servers running the trojanized versions of UnrealIRCd should be updated as soon as possible since HD Moore, the creator of the Metasploit exploitation framework, already released a module for it – but even without that the security hole is really simple to exploit.

Also, here is a .sh script that might help you in the upgrade process – at least one user on the UnrealIRCd forums claimed it worked for him (although no kind of guarantee is given neither by the author nor by me).

[Update 2]: Syzop just posted a follow-up in which he writes that their releases are “from now on signed with GnuPG (PGP) again”.

[Update 3]: In an email to the UnrealIRCd mailinglist, Syzop elaborates on the GPG/PGP signing and says that there will be instructions on how to verify the key when you download the future releases. He also goes into some detail which precautions the team has taken that such an incident “will never ever happen again”. He rightfully criticizes certain news-outlets that claimed it was the fault of the Open Source model and even Linux (*cough*ZDNet*cough*) – some websites even confused the IRCd with EPIC softwares first-person shooter Unreal Tournament.

Copyright secured by Digiprove
Category: Hack, IRC, IRCd, Software
  • DanC says:

    I highly recommend if you ran an exploited version of Unreal3.2, check your Unreal directory for a filename similar to ownrex.txt. It contains an exploit that looks for those running the IRCD with root, and quite a few subroutines along with it. It then connects to an IRC server to relay information.

    <?php
    $server = "acid.irc.su";
    $port = 6667;
    $home = "#//";
    $website = "we-be.el1t3.org";

    is the header. Don't want to paste the whole thing to avoid script kiddies from trying to abuse it.

    June 13, 2010 at 4:18 pm
  • nenolod says:

    acid.irc.su/69.162.134.42 was already shutdown earlier this morning when an alert was triggered on Netflow.

    June 13, 2010 at 6:22 pm
  • Jeff says:

    The ZDNet article did not blame the Linux or Open Source model. It didn’t pass any blame, but rather pointed out it’s not immune to such activities as some seem to think (i.e., only windows). Everybody (not just Windows users) needs to be mindful of the software they download and run.

    Let’s keep things in perspective, here.

    June 15, 2010 at 8:22 pm
  • phrozen77 says:

    Maybe.

    I love the part where he says that somehow, a “similarly infected Windows file”, would have automagically “be detected within days if not hours after a routine virus scan”.

    Dear sirs, may i ask what a “Windows file” is, again?

    When he’s talking about something like a Service Pack then he might have a case, but comparing an IRCd to files that ship with an OS is comparing apples to oranges.

    In any other case you’d just be as wise as before and wait for someone to notice it – which was unlikely given that it seems not to have been exploited before the hole was known to the general public.

    http://www.zdnet.com/blog/bott/linux-infection-proves-windows-malware-monopoly-is-over-gentoo-ships-backdoor-updated/2206

    June 15, 2010 at 8:43 pm
  • katsklaw says:

    Actually Ed Bott is dead wrong, if the windows version where also infected, there is no way for any AV software to determine if the software is acting as it was designed to or not.

    As far as the AV software goes it would detect an application accessing the system as the user running the application, that’s no different that any other software on the system, including the AV software it’s self. AV software can not detect unknown backdoors, only known ones it’s instructed to watch for. that’s why it’ important to have updated definitions.

    Mr Bott fails to mention that the reason that windows systems older than vista/7 are so vulnerable is that in most cases the user logged in has local elevated privileges on non server/workstation versions of windows. Whereas vista/7 is so secure because windows no longer assumes the user is allowed access to sensitive areas, users are run as standard, non-privileged users which is something *nix has done all along.

    February 25, 2011 at 8:07 pm

Your email address will not be published. Required fields are marked *

*