Since Micha didn't take the time to post this email after it was passed along to himself and others on one of EFnet's oper lists I submit the following to explain what really happened to the BitchX website and DNS over the weekend. I also would like to point out that in the future I may be contacted directly concerning any matters such as these as I am involved with nearly every person currently involved in the development and distribution of the source code. I should point out that since I maintain the FTP site, people should know that the FTP site does not reside on the same systems as the web and dns for bitchx.org. If in doubt at any time we have posted information on http://faq.bitchx.org which tells users how to verify source and what the legitimate IP addresses for the current FTP servers are. All current (except for CVS snapshot source code) source and binaries have been signed by me. This information is available on the FAQ website as well. ---- Message as forwarded to all parties involved ---- Over the weekend the DNS for bitchx.org was directly changed by someone who exploited a machine at 207.178.61.5 aka smtp1.wia.com and was releasing source for ircii-pana-1.0c19.tar.gz which included in the configure script this: sa.sin_addr.s_addr = inet_addr ("207.178.61.5"); Previously the DNS was poisoned to cause users to download from what would normally appear to be a legitimate FTP site. However in this case we believe after contacting one of the admins for the machines that hosts the DNS for BitchX.org that the actual machine itself may have been compromised since the physical URL pointer on the website was pointed to ftp2.bitchx.org which goes to the previously mentioned IP address. We have taken action to correct the website and the DNS is being handled. The machine at wia.com however is still compromised and has distributed a number of copies of the compromised source code. I have called the NOC at accretive-networks.net and notified them of the machine in question. As soon as I am able to I will post a notice to the proper mailing lists that have covered this issue and address them directly so as to prevent this sort of thing from happening in the future without our being notified any sooner than we were later Saturday evening. Thanks, Robert Andrews President RELI Networks, Inc. Atlanta, GA. randrews@relinetworks.com -- Followup: X-Authentication-Warning: grmpa.com: www set sender to stevenb@wolfe.net using -f Date: Mon, 14 Apr 2003 10:10:04 -0700 From: Steve Breeden <stevenb@wolfe.net> To: "" <noc@accretive-networks.net> Cc: "" <randrews@relinetworks.com> Subject: Re: [ACCR-NETOPS #33425] over the weekend.... (fwd) User-Agent: Internet Messaging Program (IMP) 3.2.1 / FreeBSD-5.0 This machine (207.178.61.5) was taken offline Saturday evening and replaced. It is no longer compromised as stated below. Quoting Accretive Networks Abuse Department <noc@accretive-networks.net>: > > > Mon Apr 14 09:55:29 2003: Request 33425 was acted upon. > Transaction: Ticket created by abuse@accretive-networks.net > Queue: noc > Subject: over the weekend.... (fwd) > Owner: Nobody > Requestors: abuse@accretive-networks.net > Status: new > Ticket <URL: > http://tracker.accretive-networks.net/Ticket/Display.html?id=33425 > > ------------------------------------------------------------------------- > In case you didn't see this. > > Accretive Networks Abuse Dept. > http://www.accretive-networks.net/ -- Steve Breeden support@wolfe.net Support Engineer Accretive Networks P.206.443.6401 ext 204 F.206.269.0188 For DNS requests: dns-admin@accretive-networks.net For Hosting-support: hosting-support@accretive-networks.net
