Admins admit "embarrassing" IRC flaw
By Stewart Mitchell
Posted on 14 Jun 2010 at 08:55
A popular open source version of IRC Server has been left open to attack for more than six months.
The flaw in UnrealIRCd was announced in a security advisory in which project administrators said an unnoticed trojan could have given anyone unrestricted access to the software.
“This is very embarrassing,” the UnrealIRCd team says. “We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it.
“This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in).”
The advisory offers two methods for testing whether your version is infected, as well as instructions on how to fix the flaw.
It is an embarrassing security blunder for the project, particularly given the length of time taken to spot the breach.
“It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors),” the project admitted. “We simply did not notice, but should have. We did not check the files on all mirrors regularly, but should have.”
From around the web
No offence....
But this is no different to the infected packages for Windows or OS X.
It IS a problem, but it isn't a flaw in Linux, it is a flaw in the security checks of the UnrealIRCd team.
No operating system can provide 100% security, especially when, in this case, the user is doing something legitimate and installing an application.
True, running AV software might have prevented the spread, but it would have to have been a known trojan for it to have been picked up...
By big_D on 14 Jun 2010 
Fair point, have adjusted it, thanks for pointing it out.
By Nicole_Kobie on 14 Jun 2010
@big_D
But isn't there an inherent risk with Open Source products? Hackers can peruse the code at their leisure, identify a weakness, exploit it, recompile the code and re-create the distribution files, as they presumably did in this case?
By rjp2000 on 14 Jun 2010
@rjp2000
It is a potential weakness and a strength. Not only can an attacker identify a weakness but so can one of many many developers and other assorted eyes working on the project, providing a fix. In this case the security flaw was in the UnrealIRCd team not providing safe checksums and ensuring all mirrors are distributing the correct files.
Interestingly this problem does not just "go away" with closed-source software. The number of 'cracked' software articles on the web goes to show those who wish to attack can do so with or without the original code.
By reashlin on 14 Jun 2010
Checks are available
Most Linux users install applications from repositories that contain complied binaries which are signed. When installing from source it is best practice to check MD5 hashes against those published by the software author.
However, given the use of mirrors, it is possible for a mirror to be deliberately corrupted -including the provision of not only modified code, but bad MD5 info.
It is a salutory lesson to always be sure about where code is comming from.
By milliganp on 14 Jun 2010
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
