– IRC News

All about Internet Relay Chat

IRC Defender arbitrary code execution exploit

Yesterday, news broke that there is an arbitrary code execution exploit within the still popular IRC security service IRC Defender which is, according to the reporter, being actively exploited.

The flaw is said to be within the InspIRCd link module for which a patched version exists, but according to the original post to the IRC-Security mailinglist there are more flaws within the InspIRCd link module and also within the UnrealIRCd link module.

The original poster on the mailinglist suggests to get rid of IRC Defender immediately and to replace it with something else (have a look at Omega Security Services) and also to check for signs of recent intrusions which have taken place on or after 15th November. He also urges to look out for rogue entries in ~/.ssh/authorized_keys and look for suspicious processes.

So far, at least three networks seem to have been exploited due to this flaw – the highest profile victim so far seems to be the hack of the AnonOps network which also seems to have been possible due to that flaw – contrary to the rumored Anope 0-day.

Original post on the IRC-Security mailinglist is here (needs registration).

Thanks to alyx for the tip etc!

The patched link module can be obtained from here.

  Copyright secured by Digiprove

How to protect an IRC network from spam

Dealing with spam is something every IRC network had to do in the past, present or even maybe in the future.

If it is somebody that is trying to give your network a bad name, a trojan horse that tries to infect your users or just someone that tries to annoy you and your users doesn’t quite matter, spam probably has been an issue as long as IRC has existed.

Luckily, there are quite a few methods and ways to counter-act on it.

First thing should be educating your users to not click on anything that has been sent to them unsolicited – or performing any commands that promise them to “get free ops” and what else is going to be tempting to some – or they also might unwillingly and unknowingly join the spammers.

There are many (semi-) automated means to combat spam, mostly depending on what software you use – or are willing to use – on your network.

Some IRCd’s, such as Unreal or InspIRCd, already have built-in functionality to filter spam in any part that is visible to other IRCers – those however require that someone notices the spam and adds a regular expression to block and act upon it.

Completely automated ways to combat drones and malicious users include setting up a proxy scanner using DNS blacklists, or DNSBLs for short. There are extensive lists of various blacklists available on the internet but only some of them are meant to be used exclusively for IRC so choose wisely.

But what if the IRCd of your choice doesn’t support spamfilters and you don’t want to use DNS-based blacklists? IRCDefender is a software that could provide you with such functionality by adding a “pseudo-server” to your network which sole purpose would be checking for spam and everything else you configure it to do.

Neostats is another service that can help you combat malicious activity – it might even already be installed so you only would need to add the SecureServ module to it to have an additional layer of protection available.

So, since preventing spam also somewhat pertains to security, the same rules apply to it: you rather have a few layers to prevent something bad from happening than depend on a single line of defense.

Please share your tips what you do about spam on your network as well as stuff i might have missed :)

  Copyright secured by Digiprove

IRC Defender 1.5 Released

IRC Defender is a security package written in Perl made for small to medium sized networks. Its written in Perl and fully modular.

It took some time to release version 1.5. Developer Thunderhacker explains: “InspIRCd became far more popular than he (Brain, ed.) expected and development of Defender got pushed to the side.  Shortly after I took over I went back to school, so my schoolwork pushed its development aside.  Now that school is out for the summer I will be doing a lot more development.”

Although newer versions are always available over SVN the team recommends stable releases if stability is important.

IRC-Junkie asked what’s new in the release. “Along with the addition of a couple of modules this release fixes many bugs that have been found over the months.  Aside from that not much of the functionality has changed.”

“As Defender is primarily a services package for ChatSpike, I am currently working on modifying the InspIRCd link module for their new 1.2 release.  There is a copy of the partially completed module in SVN. I will keep it updated nightly with any progress I make on it.”

Finally Thunderhacker likes to express a few thanks, “I’d also like to add a thanks to everyone who has helped with development.  I have credited everyone in the changelog and also in comments on SVN commits.  In particular I’d like to thank satmd and w00t for their help with support in the help channel during my absence and also OUTsider for his work on the P10 link module as he has become an unofficial developer of that part of Defender.”

Thanks to Greg for the tip.

IRC Defender Back Under Development

“After a long period of downtime, Defender is back under active development. There’s a lot of mess as far as the website goes (under construction yadda yadda) but at least there’s someone to get a hold of if things go wrong”, the IRC Defender website announced. This modular Perl based piece of software is coded to help networks with security issues such as worms, spambots and viruses.

The development was halted for quite some time. Formerly active member Brain explains: “Development for IRC defender has been slow for a couple of years now. The program basically did what we needed it to for chatspike (the network it was initially written for), and with other projects like InspIRCd keeping me busy, i was unable to put the time into the project that it needed.”

A new maintainer Thunderhacker was chosen after he asked Brain about the project, and if development could resume. He seemed enthusiastic and willing to maintain the project, so i gave him access to the project to continue it in my ‘absence’.

The new version released (1.5 RC1) has been used on Chatspike for the past few years and includes new modules such as an anti-spamming and anti-repeating module, and the obligatory bugfixes. “Not that much is new yet but with ‘fresh blood’ on the project i can imagine that very shortly lots of new things will be cropping up in IRC Defender” Brain assures us.

IRC-Junkie asked Thunderhacker about the future for IRC Defender: “One of the major plans I have is setting up an area for third party modules to be hosted for use with Defender.” He is currently also working on a bug, and when that one is solved, RC2 will be released. And finally there are plans for new modules. “Beyond 1.6 is a bit too far to predict.  A lot of things could happen in that time”, Thunderhacker explains.

Anyone needing help with IRC Defender is encouraged to visit the forum or visit the #defender channel on Chatspike.

Thanks to w00t for the tip!