|
Focus on Apple
Month of Apple Bugs Dec 19 2006 03:33PM mfossi securityfocus com (4 replies) Re: Month of Apple Bugs Dec 20 2006 04:54PM jot (jot cotse net) (2 replies) Re: Month of Apple Bugs Dec 19 2006 04:16PM Philippe Devallois (phdevallois intego com) (3 replies) |
|
|
Privacy Statement |
This report is indeed interesting since the possibility of an "IRC"
bot being installed has come up on the Mac OS X Server list recently.
But I have to say that the lack of specificity about which "bot" they
are talking about leads me to believe that its really an unknown
quantity.
>
> Thanks, but before that, you may look at this report:
>
> http://lists.apple.com/archives/macos-x-server/2006/Dec/msg00422.html
Again, people who *should* know, don't seem to mention which bot ro
who wrote it. I have some continuing interest in this issue because I
have, in the past run an "IRC" bot. It is a GNU GPL project called
Eggdrop. It is the original IRC bot designed to preserve the integrity
and security of IRC channels before the existence of IRC Services.
There is a bot - type Trojan out their with a name similar to Eggdrop
but I don't believe ti to be related to the code tree. I cannot be
sure of this, ,though.
Until the most recent release, Eggdrop would not compile "out of the
box" on OS X without some additional libraries or different versions
of the library. Just to find out if it would install on a basic
install of Tiger with Developer Tools I downloaded the source and
compiled it. It compiles but it will not compile the modular bot. For
this to compile the way it was designed to compile, it needs
additional TCL libraries which Mac OS X lacks. They can be complied of
course, but this takes time and system resources so it would not be
easy to hide. This makes the binary much larger. In fact, its 2
megabytes approximately.
However, it was not designed to have a small foot print. It makes use
of any memory resources it needs and so is not easily hidden. Since
most bot owners want a stable bot, they choose to run it on a
legitimate Unix or Linux shell accounts with good connectivity and
stable up-times.
My question is does anyone know which "IRC" bot system administrators
are talking about? It would be nice to be able to pin this down.
*IF* it happens to be Eggdrop, I would suggest that it isn't anyone
who's broken into the system, but someone who already has access and
gained a certain amount of trust. Most bot owners also want to run a
chrontab to make sure their bot is up and running. Eggdrop is morel
likely to be run from user space that from the system itself. That
takes increased access to more secure levels of the OS than Eggdrop
normally needs.
More information about the nature of this "IRC" bot which is
problematic would be in order. Simply leaving it undefined isn't an
option.
cheers,
David
--
David Fedoruk
B.Mus. UBC,1986
Certificate in Internet Systems Administration, UBC, 2003
http://recordjackethistorian.wordpress.com
"Music is enough for one's life time, but one life time is not enough
for music" Sergei Rachmaninov
[ reply ]