IRC-Junkie.org – IRC News

All about Internet Relay Chat

Efnet faces major attack on New Year’s Eve [Update 2]

IRC servers with code based on old Ratbox 2.0 code are vulnerable to a bug in the code that handles user authentication. It was found and published at 7 pm GMT by IRC member Fudge when he messed around with the protocol TS6. Charybdis developer nenolod was informed about the issue in the development channel #charybdis. Shortly after that him and other members agreed on that the bug was “pretty serious”.

A working example of how an IRC server could be brought down via this bug was published in the channel. Some person, or a group people, began to misuse the information they presumably got from the channel in order to bring down Efnet. At 10:45 pm GMT, many servers have been patched and restarted, but there are still ten servers, including services.int [Update: services.int is down due to unrelated maintenance according to EFnet], missing, according to the automatically updated network map on http://map.efnet.net/. To bring a server down, the attacker does not need any special privileges. All they would need to do is to send one line consisting of less than 15 characters.

A new version of Charybdis was released around 22.00 pm later this same evening. Patch files for both Ratbox and Charybdis have been sent to many IRC administrators, so that they can secure their servers against this exploit as soon as possible.

Some of the affected channels include #irchelp, a channel that now has a new date of creation:
-!- Channel #irchelp created Mon Dec 31 22:32:01 2012

It is likely that the operators of #chanfix will get a dramatically increased work load during the next couple of hours. They have prepared well by setting the topic of the channel:
Yes we know EFnet just took a mickey. Plz state the channel with the problem and wait…

There are rumours around claiming Hybrid is also affected, but they have not been confirmed [Update 2: According to the IRCd-Hybrid team, it is not affected by the vulnerability]. As the number of IRC servers forked from Ratbox, with exploitable code, is relatively high it is highly likely that servers on many networks will go up and down for the next few days.

Freenode was one of the first networks to patch themselves, occuring only minutes after the seriousness of the issue had been established. Thanks to staff member tomaw all relevant servers could be secured before any harm was done.

IRC servers which have been confirmed by their developers as patched against this vulnerability are:

  • ShadowIRCd 6.3.3
  • Charybdis¬†3.4.2
  • Ratbox 3.0.8

Article to be updated when more information is available…

 

Link to the original advisory: http://www.ratbox.org/ASA-2012-12-31.txt

EFNet IRC net and Website get hacked

irc-junkie.org tried to get in touch with EFNet to comment on the happenings to no avail but got instead contacted by the hackers themselves.

The hackers, identifying themselves as “2l8″, allegedly killed off the IRCd on efnet.nl and relinked with their “ircd with a custom-made patch iHaq wrote just for the occasion. Amongst other nifty features it had kill protection, automatic opering, hardcoded spoof (incase anyone got in and looked at hte config files) for us (root@your.servers) and a more dynamic, yet coded in spoof that gave every connected user a host like OWNED-#.MASSIVE.2l8.OWNAGE”.

When asked about their motives they replied “The current situation of morons running alot of the network … is unacceptable. It’s no wonder kids resort to DDoSing IRC-servers. We felt it was time to send a clear message: We Own You. We will always own you … Being on IRC is no different from being in a large crowd, there is no reason for you to act like you are 12 and a bitch.”

They however stated that they themselves are EFNet regulars “Some of us have been on EFnet for 12 years, so that would be a yes. With the current state of affairs tho, we might just pound it into the stone age and go hang-out on freenode or something were people actually behave like regurlar human beings …”

Asked about the techniques behind the hack they replied “This attack has concsisted of using privately developed Linux and FreeBSD remote kernel bugs, as well as certain daemon bugs(apache,openssh,bind,etc) as well as webapp bugs, and sniffing. However the technique so far has been to rely on people’s totally predictable egos. Most of these folks have an ego the seize of the Great wall of China.”

Talking about the hacked webpage http://www.efnet.org, which displayed gayporn titled “oper convention” for two days, they told “The EFnet admins (and opers + groupies) thought we played with DNS cache poisoning for days to get their website to show gay porn, however, we never even attempted that, as we owned their nameservers:)”

Closing the email they wrote “The 2l8 team, want to take his opurtunity to tell everyone that a little love and respect goes a long way. Admins, opers or users, you are all still just human, us included.

- It’s never 2l8 to start being nice.

- The 2l8 team: iHaq, iRoot, iPwn, iSniff.”

Of course, any comments from the EFNet side are more than welcome and if need be will be handled strictly confidential.

EFnet Enables SSL Connections

“EFnet has recently enabled SSL connections on a select few servers,” EFnet admin Taliz wrote to IRC-Junkie. “irc.efnet.ch, irc.pte.hu and irc.blessed.net are allowing SSL clients to connect on ports 9999, 7000, 7001 and 6697.”

The developers of the Ratbox IRCd added it to the code after continuous requests. “The option to support SSL connections is part of ratbox 3, which is currently in beta stage. Hence only a few servers support it yet, namely irc.efnet.ch, irc.pte.hu & irc.blessed.net. However irc.eversible.com is running a special solution also accepting SSL, using the older ratbox 2. Also irc.efnet.ch and irc.pte.hu are running separate ircds for the SSL clients, to not disrupt regular clients while bugfixing etc.”

According to Taliz, around 200 clients are using the feature right now, but its growing as the word is spreading around.

Finally, Taliz ends with a small warning. “Until ratbox 3 goes “stable”, you may expect more frequent restarts due to bugs being worked out.”

IRC.EFNet.CH Supports IPv6

Another EFNet server adds supports IPv6.

Recently IRC.EFNet.CH added support for the IPv6 protocol. IRC-Junkie asked IRC EFNet.CH admin Taliz for how long IPv6 has been supported on EFNet. “Ratbox is an early fork of Hybrid 7 and, if I recall correctly, has always supported IPv6. Hybrid 7 has supported IPv6 since it was released back in 2003(there were however a lot of Betas & RC’s supporting IPv6 as well, which ratbox built on, dating back to 2001).”

“Some of the first servers supporting IPv6 on EFnet were irc6.qeast.net & irc.ipv6.homelien.no, they linked around 2001. Nowadays Qeast is gone, but IPv6 is enabled on irc.homelien.no as well as a multitude of other servers like irc.efnet.nl, efnet.ipv6.xs4all.nl, irc.inter.net.il, irc.efnet.ch, irc.ipv6.he.net & irc.choopa.net.” These servers can be found in the IPv6 round robin at irc.ipv6.efnet.net.

One of the old concerns with IPv6 was that maliscious users could have access to an unlimited range of addresses for floodbots. “CIDR limits are used to control IPv4 as well as IPv6 classes,” Taliz explains. “You can for example limit /64′s to 5 connections, effectively preventing mass cloning.”

IPv4 remains by far the most popular protocol in use. “I would estimate that there are less than, or around, 2000 IPv6 clients on EFnet regularly,” Taliz ends.

EFnet Admin Jafo Passes Away

EFnet.org reports the passing of Brad Allan Killebrew (also known as Jafo), admin on EFnet of the servers ircd.lagged.org and irc.nac.net.

“Mr. Killebrew was born in Temple to William Lee and Dianne Killebrew. He was a systems engineer for the Texas Network. He lived in Temple until the age of 10 and moved to Humble with his family where he graduated from Humble High School. He received a bachelors degree from the University of Houston. He was a member if the Institute for Electronic Engineer Computer Society, North American Network Operations Group and the American Radio Relay League. He was also an amateur radio operator”, the EFnet site reports.

Brad Allan Killebrew passed away last Thursday, September the 13th. A memorial service will be held Wednesday at Rosewood Funeral Home in Humble.

Thoughts can be left at this page on EFnet.org.

Stefano pointed IRC-Junkie out on this tragic news.