It seems that my posts have been misfired a little. Let me summarize how,when and why I got trojaned sources Since I am not a security guru whatsoever I couldn't know that this issue is already known. Anyway, it did happen to me this Saturday so there is a possibility that something weird is lingering at ftp.bitchx.org or its DNS servers. So, I fired up www.bitchx.org Saturday 13.04.2003 about 22:00 local time. I went to download.php and checked the URL for source tarball. I wget'ted that URL - on saturday it showed: ftp://ftp2.bitchx.org/pub/BitchX/source/ircii-pana-1.0c19.tar.gz (I double-checked wget command line that I issued) I archived the said file,it's MD5 checksum is: sh> md5sum ircii-pana-1.0c19.tar.gz 927163e0466884b2771ae769e5c775d0 ircii-pana-1.0c19.tar.gz I started ./configure script and noticed outbound connections to port 6667. They were firewall-blocked anyway and that's why they really caught my eye. Otherwise, I probably wouldn't have noticed them and perhaps would not have bothered. So,I inspected ./configure and found the piece of code I was sending to the list. All I was asking for was to verify that this was a backdoor, since I really didn't know about it and it looked like one (at least my C knowledge said so) (well I heard about irssi 'patched' that way) My impression after all your posts saying that the bitchx.org sources are OK is that on Saturday two things could have happened. - some sort of dns spoofing which fooled wget to fetch 'bad' tarball (notice I was downloading from ftp_2_.bitchx.org) - modified webpage showing 'wrong' URL I am 100% sure that I was getting the URL from the official www.bitchx.org. So what do you think? ps. I am not doing all this just to get bugtraq'ed ;-) I just thought there's something weird lurking around at www.bitchx.org. I am not a security inspector/advisor nor do I have sufficient knowledge so I decided to discuss it here. Regards -- Michał 'Mikey' Szwaczko Developer/Troubleshooter gcc is really a compressor - it gets 100M of kernel sources down to 700k.
