Linux Version Of Unreal IRC Servers Contained Trojans Since 2009

In a startling revelation, the administrators of  UnrealIRCD, one of the most popular IRC servers revealed that the Linux version of UnreadlIRCd version 3.2.8.1 contained a backdoor in it. The backdoor could be executed by user, regardless of security privileges on the server. To rub salt on the wounds, the file was replaced on certain mirrors, way back in November 2009 and went unnoticed till yesterday.

The backdoor works by examining and parsing any incoming packets, looking specifically at the string “AB”. Any Linux command, followed by the string “AB” would be parsed and executed using system() function call, making it a very dangerous combo in the hands of a malicious user.

The administrators state that the following versions of UnrealIRCD are safe:

  • Official  precompiled  Windows (SSL and non-ssl) binaries
  • CVS versions
  • 3.2.8 and any earlier versions are not affected
  • Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe

Verifying that the version you have is not the backdoor version:

There are couple of ways to verify that you have legitimate version –

  • Calculate the MD5 sum

Running ‘md5sum Unreal3.2.8.1.tar.gz’  will calculate the md5 sum: The official version has a md5 of 7b741e94e867c0a7370553fd01506c66 , while the Backdoored version has a md5 of  752e46f2d873c1679fa99de3f52a274d

  • Examine struct.h h

Running  grep DEBUG3_DOLOG_SYSTEM include/struct.h will perform a regex search for the pattern.  If it outputs two lines, then you’re running the backdoored/trojanized version.  If it outputs nothing, then the version is clean.

What to do if you’re running the backdoored version ?

If the above steps indicate you have a backdoor version, then following steps must be taken:

Verified md5sums

Below are the verified md5 checksums:

  • 7b741e94e867c0a7370553fd01506c66 for Unreal3.2.8.1.tar.gz
  • 5a6941385cd04f19d9f4241e5c912d18 for   Unreal3.2.8.1.exe
  • a54eafa6861b6219f4f28451450cdbd3 for  Unreal3.2.8.1-SSL.exe

Could anything have been done to prevent this ?

Perhaps. Fact that the md5sum was published on the site, and and yet nothing was done indicates that nobody bothered to verify the md5sum. You might argue that md5checksums could be altered, but this would be the case if the server was broken into, but in this case, the source files were altered, so the md5sum difference would have shown up.

The files could’ve been signed using PGP, but again, not sure how many people would be bothered to verify the signatures.

Response from UnrealIRCD team

The UnrealIRCd admins have come out full with a full disclosure, and they should be applauded for doing that, rather than covering up the matter. They have released an advisory, so keep an eye for any updates to this file. They have also stated that they will start PGP/GPG signing of releases.

Learnings from the incident

Most of these have been said  ad nauseam, yet it needs to be repeated:

  • Never download files from unverified sources.
  • Always rely on files packaged by your distribution’s package manager.
  • If you’re downloading sources, ensure that you’ve verified the authenticity. Most publish the md5/SHA1 checksums,  if there’s any deviation then do inform the site admins.

3 thoughts on “Linux Version Of Unreal IRC Servers Contained Trojans Since 2009”

  1. Yes, someone came into my IRC server and happened to know about that bug and took the hole server down, and deleted everything in the shell, this is a bad bug recompile now! Before you loose all your data like I did, lucky it was backed up. :) If you check http://forums.unrealircd.com/viewtopic.php?t=6562 there is that dude named Gemster in that forum asking if he was infected he was the guy who crashed my server because he knew about the bug.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>