In a startling revelation, the administrators of UnrealIRCD, one of the most popular IRC servers revealed that the Linux version of UnreadlIRCd version 188.8.131.52 contained a backdoor in it. The backdoor could be executed by user, regardless of security privileges on the server. To rub salt on the wounds, the file was replaced on certain mirrors, way back in November 2009 and went unnoticed till yesterday.
The backdoor works by examining and parsing any incoming packets, looking specifically at the string “AB”. Any Linux command, followed by the string “AB” would be parsed and executed using system() function call, making it a very dangerous combo in the hands of a malicious user.
The administrators state that the following versions of UnrealIRCD are safe:
- Official precompiled Windows (SSL and non-ssl) binaries
- CVS versions
- 3.2.8 and any earlier versions are not affected
- Any Unreal184.108.40.206.tar.gz downloaded BEFORE November 10 2009 should be safe
Verifying that the version you have is not the backdoor version:
There are couple of ways to verify that you have legitimate version –
- Calculate the MD5 sum
Running ‘md5sum Unreal220.127.116.11.tar.gz’ will calculate the md5 sum: The official version has a md5 of 7b741e94e867c0a7370553fd01506c66 , while the Backdoored version has a md5 of 752e46f2d873c1679fa99de3f52a274d
- Examine struct.h h
Running grep DEBUG3_DOLOG_SYSTEM include/struct.h will perform a regex search for the pattern. If it outputs two lines, then you’re running the backdoored/trojanized version. If it outputs nothing, then the version is clean.
What to do if you’re running the backdoored version ?
If the above steps indicate you have a backdoor version, then following steps must be taken:
- Re-download from http://www.unrealircd.com/
- Verify MD5 (or SHA1) checksums
- Recompile and restart UnrealIRCd
Below are the verified md5 checksums:
- 7b741e94e867c0a7370553fd01506c66 for Unreal18.104.22.168.tar.gz
- 5a6941385cd04f19d9f4241e5c912d18 for Unreal22.214.171.124.exe
- a54eafa6861b6219f4f28451450cdbd3 for Unreal126.96.36.199-SSL.exe
Could anything have been done to prevent this ?
Perhaps. Fact that the md5sum was published on the site, and and yet nothing was done indicates that nobody bothered to verify the md5sum. You might argue that md5checksums could be altered, but this would be the case if the server was broken into, but in this case, the source files were altered, so the md5sum difference would have shown up.
The files could’ve been signed using PGP, but again, not sure how many people would be bothered to verify the signatures.
Response from UnrealIRCD team
The UnrealIRCd admins have come out full with a full disclosure, and they should be applauded for doing that, rather than covering up the matter. They have released an advisory, so keep an eye for any updates to this file. They have also stated that they will start PGP/GPG signing of releases.
Learnings from the incident
Most of these have been said ad nauseam, yet it needs to be repeated:
- Never download files from unverified sources.
- Always rely on files packaged by your distribution’s package manager.
- If you’re downloading sources, ensure that you’ve verified the authenticity. Most publish the md5/SHA1 checksums, if there’s any deviation then do inform the site admins.