[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Trojan Horse in IRC Client for UNIX

Title: Trojan Horse in IRC Client for UNIX
Released by: CERT
Date: 19th October 1994
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





=============================================================================

CERT(*) Advisory CA-94:14

Original issue date:  October 19, 1994

Last revised: September 23, 1997                

                Updated Copyright statement



Topic: Trojan Horse in IRC Client for UNIX

- -----------------------------------------------------------------------------



The CERT Coordination Center has learned of a Trojan horse in some copies of

ircII version 2.2.9, the source code for the Internet Relay Chat (IRC) client

for UNIX systems. Reports we have received thus far indicate that the corrupt

code was available as early as May 1994. The Trojan horse provides a back door

through which intruders can gain unauthorized access to accounts of IRC users.

Intruders are actively exploiting this back door.  If you obtained ircII 2.2.9

from any site in May or later, you may be vulnerable.



Because it is unknown how far the corrupt version of the IRC client has

propagated and because intruders may have corrupted other versions, the CERT

staff recommends obtaining and installing ircII version 2.6.



Because no special privileges are needed to install and run the IRC source

code, any user on your system may have installed the corrupt code.  Thus, we

also recommend that you inform your users of this potential problem and its

solution.



We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.



- -----------------------------------------------------------------------------



I.   Description



     A Trojan horse was found in some copies of the source code for

     the Internet Relay Chat client for UNIX systems, ircII version

     2.2.9.  Intruders are actively exploiting this Trojan horse.



     The Trojan horse creates a back door and enables intruders to

     gain unauthorized access to accounts of IRC users. If IRC is run

     from a system account, such as root or bin, the Trojan horse

     enables intruders to gain unauthorized access to the system

     account.  In addition, because it is possible to compile,

     install, and run IRC source code without special privileges, any

     user on your system may have installed corrupt code.



     The source code containing the Trojan horse was available from

     many FTP sites as early as May 1994 (at this time, we do not have

     a specific date).



II.  Impact



     Remote users can gain unauthorized access to any account running

     the IRC client, including a system account if it is running IRC.



III. Solution



     If you want to try to determine whether your copy of ircII contains the

     Trojan horse, perform a search on the IRC client to find the strings JUPE

     or GROK. For example,



        % strings /usr/local/bin/irc | grep 'JUPE|GROK'



        % strings /usr/local/bin/irc | egrep 'JUPE|GROK'



     If the strings JUPE or GROK are present in the IRC client, your source

     code may contain the Trojan horse. Keep in mind, however, that back doors

     can easily be changed to respond to other words, so you may be vulnerable

     even if you do not find JUPE or GROK.



     Thus, even if you believe that your IRC source code is clean, we urge you

     to install ircII version 2.6, the most recent version of IRC. Also,

     the maintainer of the code reports that version 2.6 contains many bug

     fixes and extra portability.



     IRC source code is available by anonymous FTP from many locations,

     including the following:



        sungear.mame.mu.oz.au:/pub/irc

        alpha.gnu.ai.mit.edu:/ircII

        ftp.funet.fi:/pub/unix/irc/ircII

        coombs.anu.edu.au:/pub/irc/ircii



        File                  Size     MD5 Checksum

        --------              ------   -----------------------------

        ircii-2.6.tar.gz      366361   3FC5FBD18CB3E6C071F51FD8C6C59017

        ircii-2.6help.tar.gz  111733   D9D535B7A06BED2A2EA6676B20BDA481

        ircii-2.5to2.6-diff   19644    0C05C96B10CB87186BD921536AE3FDF2





      As of Feb. 2, 1995, an ircii2.6-sco-patch is available:



        File                  Size     MD5 Checksum

        --------              ------   -----------------------------

        ircii-2.6.tar.gz      366361   3FC5FBD18CB3E6C071F51FD8C6C59017

        ircii-2.6help.tar.gz  111733   D9D535B7A06BED2A2EA6676B20BDA481

        ircii-2.5to2.6-diff   19644    0C05C96B10CB87186BD921536AE3FDF2

        ircii-2.6-sco-patch   65143    45161113B0E435FB993CE00436A819A1



IV.  Informing Users



     Because users may have installed IRC source code on their own, we

     recommend informing all your users about the Trojan horse and the new

     version of IRC.



     In addition, you may want to find any user-installed copies of IRC that

     may be vulnerable. If so, you could use the find command to locate these

     binaries. As an example, the following command will enable you to find

     all files named "irc" in a subdirectory of /usr/users:



        % find /usr/users -name irc -type f -print



- ---------------------------------------------------------------------------

The CERT Coordination Center wishes to thank Matthew Green for his

assistance with this advisory.

- ---------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in Forum of Incident

Response and Security Teams (FIRST).



If you wish to send sensitive incident or vulnerability information to

CERT via electronic mail, CERT strongly advises that the e-mail be

encrypted.  CERT can support a shared DES key, PGP (public key

available via anonymous FTP on info.cert.org), or PEM (contact CERT

for details).



Internet E-mail: cert@cert.org

Telephone: 412-268-7090 (24-hour hotline)

           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),

           and are on call for emergencies during other hours.



CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

USA



Past advisories, information about FIRST representatives, and other

information related to computer security are available for anonymous

FTP from info.cert.org.



- ------------------------------------------------------------------------------



Copyright 1994, 1995, 1996 Carnegie Mellon University. Conditions for use,

disclaimers, and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



sep. 23, 1997  Updated copyright statement

Aug. 30, 1996  Information previously in the README was inserted

               into the advisory.

Feb. 02, 1995  Sec. III - Added filenames and checksums for ircii2.6-sco-patch.

Oct. 20, 1994  Sec. III - Added example command using egrep.

                          Included alhpa.gnu.ai.mit.edu as a source of ircII.







-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTAVFr9kb5qlZHQEQJQoQCgh0bVzEkyELa3PRuxS+vBib6WtVgAoPVk

NcGuceDB3GpWT2+JkakqcFLc

=OS+u

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.