mailing list archives
Fw: [irc-security] UnrealIRCd 126.96.36.199 backdoored on official ftp and site
From: Henri Salo <henri () nerv fi>
Date: Sat, 12 Jun 2010 18:09:17 +0300
Begin forwarded message:
Date: Sat, 12 Jun 2010 16:14:25 +0200
From: satmd <satmd () satmd dyndns org>
To: IRC Security Discussion List <irc-security () lists irc-unity org>
Subject: [irc-security] UnrealIRCd 188.8.131.52 backdoored on official ftp
I'd like to let you know that there's been a compromise of the
unrealircd website and ftp and the 184.108.40.206 tarball release had been
replaced by a backdoored copy.
I'm attaching Syzops original security advisory from
UnrealIRCd support staff
This is very embarrassing...
We found out that the Unreal220.127.116.11.tar.gz file on our mirrors has been
replaced quite a while ago with a version with a backdoor (trojan) in
it. This backdoor allows a person to execute ANY command with the
privileges of the user running the ircd. The backdoor can be executed
regardless of any user
restrictions (so even if you have passworded server or hub that doesn't
any users in).
It appears the replacement of the .tar.gz occurred in November 2009 (at
least on some mirrors). It seems nobody noticed it until now.
Obviously, this is a very serious issue, and we're taking precautions
so this will never happen again, and if it somehow does that it will be
We will also re-implement PGP/GPG signing of releases. Even though in
(very) few people verify files, it will still be useful for those
people who do.
The Windows (SSL and non-ssl) versions are NOT affected.
CVS is also not affected.
3.2.8 and any earlier versions are not affected.
Any Unreal18.104.22.168.tar.gz downloaded BEFORE November 10 2009 should be
safe, but you should really double-check, see next.
How to check if you're running the backdoored version
One is to check if the Unreal22.214.171.124.tar.gz you have is good or bad by
running 'md5sum Unreal126.96.36.199.tar.gz' on it.
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66
The other way is to run this command in your Unreal3.2 directory:
grep DEBUG3_DOLOG_SYSTEM include/struct.h
If it outputs two lines, then you're running the backdoored/trojanized
If it outputs nothing, then you're safe and there's nothing to do.
What to do if you're running the backdoored version
Obviously, you only need to do this if you checked you are indeed
backdoored version, as mentioned above. Otherwise there's no point in
continuing, as the version on our website is (now back) the good one
from April 13 2009 and nothing 'new'.
* Re-download from http://www.unrealircd.com/
* Verify MD5 (or SHA1) checksums, see next section (!)
* Recompile and restart UnrealIRCd
The backdoor is in the core, it is not possible to 'clean' UnrealIRCd
a restart or through a module.
How to verify that the release is the official version
You can check by running 'md5sum Unreal188.8.131.52.tar.gz', it should
output: 7b741e94e867c0a7370553fd01506c66 Unreal184.108.40.206.tar.gz
For reference, here are the md5sums for ALL proper files:
These are the EXACT same MD5sums as mentioned on April 13 2009 in the
initial 220.127.116.11 announcement to the unreal-notify and unreal-users
Again, I would like to apologize about this security breach.
We simply did not notice, but should have.
We did not check the files on all mirrors regularly, but should have.
We did not sign releases through PGP/GPG, but should have done so.
This advisory (and updates to it, if any) is posted to:
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Fw: [irc-security] UnrealIRCd 18.104.22.168 backdoored on official ftp and site Henri Salo (Jun 12)