OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nelson Brito (nelsonwwsecurity.net)
Date: Mon Jul 01 2002 - 15:53:38 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Ok, I've tried to download this backdoor version of BitchX from its official
    WEB
    Site (a.k.a. www.bitchx.[com|org], but it looks like a repaired or rescued
    version.

    I've downloaded BitchX from the official WEB Site some days ago and I saw
    that
    the file is okay (the configure's MD5 is good, as well ircii-pana-1.0c19),
    it's
    a genuine BitchX.

    Here some statements:
    pitbull:~# ls -l
    total 2512
    drwxrwxr-x 12 500 500 4096 Mar 25 18:46 BitchX
    - -rw-r--r-- 1 root root 2533621 Jun 21 17:02
    ircii-pana-1.0c19.tar.gz
    drwxr-xr-x 2 root root 4096 Jun 24 16:14 MP3z
    pitbull:~# md5sum BitchX/configure
    0bd531d523606a0296da2763dafa51f2 BitchX/configure
    pitbull:~# grep conftest.c BitchX/configure
    pitbull:~# md5sum ircii-pana-1.0c19.tar.gz
    79431ff0880e7317049045981fac8adc ircii-pana-1.0c19.tar.gz
    pitbull:~# ls -l /usr/bin/BitchX
    lrwxrwxrwx 1 root root 22 Jun 21 17:13 /usr/bin/BitchX ->
    /usr/bin/BitchX-1.0c19
    pitbull:~#

    It was downloaded on Jun-21-2002. So...

    Reach your own conclusions.

    Sem mais.
    - --
    Nelson Brito

    - -----Original Message-----
    From: Hank Leininger [mailto:hleinmetasecuritygroup.com]
    Sent: Monday, July 01, 2002 12:43 PM
    To: vulnwatchvulnwatch.org; bugtraqsecurityfocus.com;
    incidentssecurityfocus.com; bitchxlists.bitchx.com
    Cc: Mark Canter; Joe Segreti
    Subject: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored

    A few hours ago (1 AM US/Eastern time, July 1) we downloaded
    ircii-pana-1.0c19.tar.gz from ftp.bitchx.com (216.165.191.5) and
    reviewed the configure script before running it. It has essentially
    the same configure backdoor as fragroute-1.2.tar.gz[1] -- a TCP
    connection is made outbound, with a shell bound to it (a reverse
    telnet). This appears to retry/respawn once per hour. The 1.0c19
    tarball at ftp.irc.org (which mirrors bitchx.com) did not appear to be
    trojaned when we pulled from there about an hour later.
    [... cuted ...]

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0
    Comment: Public Key available under request!

    iQA/AwUBPSDBUa47KL3WGrhzEQJHgQCg5OKaOykZPOa5HEvQCa+bgN6dmAQAn36p
    L0SClDSEF6fUSZ4NppquYXHd
    =9x7G
    -----END PGP SIGNATURE-----

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com