Date: Fri, 29 Mar 2024 03:58:17 -0400 (EDT) Message-ID: <531789850.549.1711699097005@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_548_668706759.1711699097002" ------=_Part_548_668706759.1711699097002 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
The CERT Coordination Center has learned of a Trojan horse in some copie= s of ircII version 2.2.9, the source code for the Internet Relay Chat (IRC)= client for UNIX systems. Reports we have received thus far indicate that t= he corrupt code was available as early as May 1994. The Trojan horse provid= es a back door through which intruders can gain unauthorized access to acco= unts of IRC users. Intruders are actively exploiting this back door. If you= obtained ircII 2.2.9 from any site in May or later, you may be vulnerable.=
Because it is unknown how far the corrupt version of the IRC client has = propagated and because intruders may have corrupted other versions, the CER= T staff recommends obtaining and installing ircII version 2.6.
Because no special privileges are needed to install and run the IRC sour= ce code, any user on your system may have installed the corrupt code. Thus,= we also recommend that you inform your users of this potential problem and= its solution.
We will update this advisory as we receive additional information. Pleas= e check advisory files regularly for updates that relate to your site.
The Trojan horse creates a back door and enables intruders to gain unaut= horized access to accounts of IRC users. If IRC is run from a system accoun= t, such as root or bin, the Trojan horse enables intruders to gain unauthor= ized access to the system account. In addition, because it is possible to c= ompile, install, and run IRC source code without special privileges, any us= er on your system may have installed corrupt code.
The source code containing the Trojan horse was available from many FTP = sites as early as May 1994 (at this time, we do not have a specific date).<= /p>
% strings /usr/local/bin/irc | grep 'JUPE|GROK' % strings /usr/local/bin/irc | egrep 'JUPE|GROK'If the strings JUPE or GROK are present in the IRC client, your sour= ce code may contain the Trojan horse. Keep in mind, however, that back door= s can easily be changed to respond to other words, so you may be vulnerable= even if you do not find JUPE or GROK.=20
Thus, even if you believe that your IRC source code is clean, we urge yo= u to install ircII version 2.6, the most recent version of IRC. Also, the m= aintainer of the code reports that version 2.6 contains many bug fixes and = extra portability.
IRC source code is available by anonymous FTP from many locations, inclu= ding the following:
sungear.mame.mu.oz.au:/pub/irc
alpha.gnu.ai.mit.edu:/ircII
ftp.funet.fi:/pub/unix/irc/ircII
coombs.anu.edu.au:/pub/irc/ircii
File Size MD5 ChecksumAs of Feb. 2, 1995, an ircii2.6-sco-patch is available:=20
-------- ------ ----------------------------- ircii-2.6.tar.gz 366361 3FC5FBD18CB3E6C071F51FD8C6C59017 ircii-2.6help.tar.gz 111733 D9D535B7A06BED2A2EA6676B20BDA481 ircii-2.5to2.6-diff 19644 0C05C96B10CB87186BD921536AE3FDF2
File Size MD5 Checksum
-------- ------ ----------------------------- ircii-2.6.tar.gz 366361 3FC5FBD18CB3E6C071F51FD8C6C59017 ircii-2.6help.tar.gz 111733 D9D535B7A06BED2A2EA6676B20BDA481 ircii-2.5to2.6-diff 19644 0C05C96B10CB87186BD921536AE3FDF2 ircii-2.6-sco-patch 65143 45161113B0E435FB993CE00436A819A1
In addition, you may want to find any user-installed copies of IRC that = may be vulnerable. If so, you could use the find command to locate these bi= naries. As an example, the following command will enable you to find all fi= les named "irc" in a subdirectory of /usr/users:
% find /usr/users -name irc -type f -print
Copyright 1994, 1996 Carnegie Mellon University.
Sep. 23, 1997 Updated copyright statement Aug. 30, 1996 Information previously in the README was inserted into the advisory. Feb. 02, 1995 Sec. III - Added filenames and checksums for ircii2.6-sco-pa= tch. Oct. 20, 1994 Sec. III - Added example command using egrep. Included alhpa.gnu.ai.mit.edu as a source of ircII.