On my daily rounds, I pick up all kinds of good lil’ tidbits for article ideas. Most of them are relating to Windows flaws or Anti Apple articles, but none of them really cut the mustard. However, today I am going to pound my fist against the wall at those of US that thought we had less to worry about. Yeah, we are Linux advocates, and we overlook security sometimes. Today I was introduced to a statement by UnrealIRCd detailing a trojan packaged with their IRCd (Internet Relay Chat deamon) for Linux. This obviously represents one FATAL flaw with the Linux faithful; the blind trust we have for the most of the Linux community and the lack of attention we pay to what we are installing or downloading. This time, it leads us to a backdoor that grants an evildoer the ability to run ANY command with the user’s privileges running the daemon.
This is very embarrassing…
We found out that the Unreal188.8.131.52.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it.
This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user
restrictions (so even if you have passworded server or hub that doesn’t allow any users in).
It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.
Obviously, this is a very serious issue, and we’re taking precautions so this will never happen again, and if it somehow does that it will be noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in practice (very) few people verify files, it will still be useful for those people who do.
While the software maker’s mirror downloads for Linux had been packaged with the trojan the Windows version (PRECOMPILED) remained clean.
Official precompiled Windows (SSL and non-ssl) binaries are NOT affected.
CVS is also not affected.
3.2.8 and any earlier versions are not affected.
Any Unreal184.108.40.206.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check, see next.
The oddity here is that the infection would have been found MUCH faster if the trojan had been released with Windows. I can’t imagine that this has been running around for 7 months unnoticed. My personal belief, when it comes to installing software on my Web Server (C.O.D. PROUDLY RUNS ON LINUX) is that I check the md5sums on everything that lists them.
How to verify that the release is the official version
You can check by running ‘md5sum Unreal220.127.116.11.tar.gz’, it should output:
For reference, here are the md5sums for ALL proper files:
These are the EXACT same MD5sums as mentioned on April 13 2009 in the initial 18.104.22.168 announcement to the unreal-notify and unreal-users mailing list.
Now this is where my beliefs get interesting. I DON’T BLAME THE SOFTWARE MAKER! I blame the users! I personally scan all files I download on my WINDOWS workstation prior to installing. There are plenty of instances where I receive false positives and plenty of times that things have slipped through. However, for the Linux faithful to blindly believe that the packages they are downloading have not been modified is unacceptable. As quoted above, UnrealIRCd provided the md5sums for the proper files.
As one user stated
Re: Some versions of Unreal22.214.171.124.tar.gz contain a backdoor
by tmpaccount on Sun Jun 13, 2010 11:14 amYou are very irresponsible.
I`ll migrate to some other IRC server as soon as I can and I`d recommend everybody else to do the same.
I was wondering whether it was indeed someone from outside or if you guys did it yourself and when the advisory was published you
decided to blame someone from outside.
SHAME ON YOU.