BugTraq
Back to list
|
Post reply
BitchX trojan, the real follow up.
Apr 15 2003 01:44AM
Rob Andrews (randrews relinetworks com)
Since Micha didn't take the time to post this email after it was passed
along to himself and others on one of EFnet's oper lists I submit the
following to explain what really happened to the BitchX website and DNS
over the weekend.
I also would like to point out that in the future I may be contacted
directly concerning any matters such as these as I am involved with nearly
every person currently involved in the development and distribution of the
source code.
I should point out that since I maintain the FTP site, people should know
that the FTP site does not reside on the same systems as the web and dns
for bitchx.org. If in doubt at any time we have posted information on
http://faq.bitchx.org which tells users how to verify source and what the
legitimate IP addresses for the current FTP servers are. All current
(except for CVS snapshot source code) source and binaries have been signed
by me. This information is available on the FAQ website as well.
---- Message as forwarded to all parties involved ----
Over the weekend the DNS for bitchx.org was directly changed by someone who
exploited a machine at 207.178.61.5 aka smtp1.wia.com and was releasing
source for ircii-pana-1.0c19.tar.gz which included in the configure script
this:
sa.sin_addr.s_addr = inet_addr ("207.178.61.5");
Previously the DNS was poisoned to cause users to download from what would
normally appear to be a legitimate FTP site. However in this case we
believe after contacting one of the admins for the machines that hosts the
DNS for BitchX.org that the actual machine itself may have been compromised
since the physical URL pointer on the website was pointed to
ftp2.bitchx.org which goes to the previously mentioned IP address.
We have taken action to correct the website and the DNS is being handled.
The machine at wia.com however is still compromised and has distributed a
number of copies of the compromised source code.
I have called the NOC at accretive-networks.net and notified them of the
machine in question. As soon as I am able to I will post a notice to the
proper mailing lists that have covered this issue and address them directly
so as to prevent this sort of thing from happening in the future without
our being notified any sooner than we were later Saturday evening.
Thanks,
Robert Andrews
President
RELI Networks, Inc.
Atlanta, GA.
randrews (at) relinetworks (dot) com [email concealed]
-- Followup:
X-Authentication-Warning: grmpa.com: www set sender to stevenb (at) wolfe (dot) net [email concealed]
using -f
Date: Mon, 14 Apr 2003 10:10:04 -0700
From: Steve Breeden <stevenb (at) wolfe (dot) net [email concealed]>
To: "" <noc (at) accretive-networks (dot) net [email concealed]>
Cc: "" <randrews (at) relinetworks (dot) com [email concealed]>
Subject: Re: [ACCR-NETOPS #33425] over the weekend.... (fwd)
User-Agent: Internet Messaging Program (IMP) 3.2.1 / FreeBSD-5.0
This machine (207.178.61.5) was taken offline Saturday evening and
replaced.
It is no longer compromised as stated below.
Quoting Accretive Networks Abuse Department <noc (at) accretive-networks (dot) net [email concealed]>:
>
>
> Mon Apr 14 09:55:29 2003: Request 33425 was acted upon.
> Transaction: Ticket created by abuse (at) accretive-networks (dot) net [email concealed]
> Queue: noc
> Subject: over the weekend.... (fwd)
> Owner: Nobody
> Requestors: abuse (at) accretive-networks (dot) net [email concealed]
> Status: new
> Ticket <URL:
> http://tracker.accretive-networks.net/Ticket/Display.html?id=33425 >
> ------------------------------------------------------------------------
-
> In case you didn't see this.
>
> Accretive Networks Abuse Dept.
> http://www.accretive-networks.net/
--
Steve Breeden
support (at) wolfe (dot) net [email concealed]
Support Engineer
Accretive Networks
P.206.443.6401 ext 204
F.206.269.0188
For DNS requests:
dns-admin (at) accretive-networks (dot) net [email concealed]
For Hosting-support:
hosting-support (at) accretive-networks (dot) net [email concealed]
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Since Micha didn't take the time to post this email after it was passed
along to himself and others on one of EFnet's oper lists I submit the
following to explain what really happened to the BitchX website and DNS
over the weekend.
I also would like to point out that in the future I may be contacted
directly concerning any matters such as these as I am involved with nearly
every person currently involved in the development and distribution of the
source code.
I should point out that since I maintain the FTP site, people should know
that the FTP site does not reside on the same systems as the web and dns
for bitchx.org. If in doubt at any time we have posted information on
http://faq.bitchx.org which tells users how to verify source and what the
legitimate IP addresses for the current FTP servers are. All current
(except for CVS snapshot source code) source and binaries have been signed
by me. This information is available on the FAQ website as well.
---- Message as forwarded to all parties involved ----
Over the weekend the DNS for bitchx.org was directly changed by someone who
exploited a machine at 207.178.61.5 aka smtp1.wia.com and was releasing
source for ircii-pana-1.0c19.tar.gz which included in the configure script
this:
sa.sin_addr.s_addr = inet_addr ("207.178.61.5");
Previously the DNS was poisoned to cause users to download from what would
normally appear to be a legitimate FTP site. However in this case we
believe after contacting one of the admins for the machines that hosts the
DNS for BitchX.org that the actual machine itself may have been compromised
since the physical URL pointer on the website was pointed to
ftp2.bitchx.org which goes to the previously mentioned IP address.
We have taken action to correct the website and the DNS is being handled.
The machine at wia.com however is still compromised and has distributed a
number of copies of the compromised source code.
I have called the NOC at accretive-networks.net and notified them of the
machine in question. As soon as I am able to I will post a notice to the
proper mailing lists that have covered this issue and address them directly
so as to prevent this sort of thing from happening in the future without
our being notified any sooner than we were later Saturday evening.
Thanks,
Robert Andrews
President
RELI Networks, Inc.
Atlanta, GA.
randrews (at) relinetworks (dot) com [email concealed]
-- Followup:
X-Authentication-Warning: grmpa.com: www set sender to stevenb (at) wolfe (dot) net [email concealed]
using -f
Date: Mon, 14 Apr 2003 10:10:04 -0700
From: Steve Breeden <stevenb (at) wolfe (dot) net [email concealed]>
To: "" <noc (at) accretive-networks (dot) net [email concealed]>
Cc: "" <randrews (at) relinetworks (dot) com [email concealed]>
Subject: Re: [ACCR-NETOPS #33425] over the weekend.... (fwd)
User-Agent: Internet Messaging Program (IMP) 3.2.1 / FreeBSD-5.0
This machine (207.178.61.5) was taken offline Saturday evening and
replaced.
It is no longer compromised as stated below.
Quoting Accretive Networks Abuse Department <noc (at) accretive-networks (dot) net [email concealed]>:
>
>
> Mon Apr 14 09:55:29 2003: Request 33425 was acted upon.
> Transaction: Ticket created by abuse (at) accretive-networks (dot) net [email concealed]
> Queue: noc
> Subject: over the weekend.... (fwd)
> Owner: Nobody
> Requestors: abuse (at) accretive-networks (dot) net [email concealed]
> Status: new
> Ticket <URL:
> http://tracker.accretive-networks.net/Ticket/Display.html?id=33425 >
> ------------------------------------------------------------------------
-
> In case you didn't see this.
>
> Accretive Networks Abuse Dept.
> http://www.accretive-networks.net/
--
Steve Breeden
support (at) wolfe (dot) net [email concealed]
Support Engineer
Accretive Networks
P.206.443.6401 ext 204
F.206.269.0188
For DNS requests:
dns-admin (at) accretive-networks (dot) net [email concealed]
For Hosting-support:
hosting-support (at) accretive-networks (dot) net [email concealed]
[ reply ]