Linux Trojan

[celldweller1591]

Linux Trojan was Unnoticed for a year

It seems the Linux version of the popular IRC server Unreal IRCd was contaminated with malware ever since November 2009, without anyone noticing it. The announcement was made on the Unreal IRCd forums:

Quote:

This is very embarrassing...We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it. This backdoor allows a person to execute ANY command with the privileges of he user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in). [...] It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.

This reminds us that an OS is as secure as the owner makes it. Remember to always check the source code before running a script / application. Better yet, only install applications from your distribution's official repositories and very trusted sources.

Source

[manu somasekhar]

too bad

[celldweller1591]

Quote:

too bad

It was just a small issue. As the IRC guys already said " This is very embarassing" . No big deal. Linux is still as secure as it were before this an yes the Security of a home/desktop computer or a Network server largely depend upon its user/pro !

[The Unknown]

The hacker cannot damage the Linux server unless and until there is a foolish server administrator who has setup the IRC daemon to run as root or has given sudo permissions to the IRC daemon user.
Even better, there are many ways to put the thing in chroot, so it will be impossible to damage the OS core.
Also, the trojan was right in the source, so the server gets infected, otherwise, it cannot; the permission system is very secure, and if the administrator has enabled SELinux and configured it properly, even if a trojan enters, it cannot do anything with the OS files.

[celldweller1591]

Quote:

there are many ways to put the thing in chroot, so it will be impossible to damage the OS core.

True ! SElinux is good at security if somebody knows howto handle it properly.

[gopi_vbboy]

whats the big deal?

[The Unknown]

^^ These are obvious cases. You need to be always aware what you install and scrutinize the scripts that it runs.

If I configure the SSH server on my system to allow all logins alongwith and empty passwords and the root account has no password then it is an obvious case !

Think about something indirect ! Like some virus invades in and then creates a security hole which usually happens in windows - something impossible in Linux, unless the admin is a dumbo who has improperly configured the server.

That's why Linux server administrators are paid heavily- the job is such.

We have GPG keys and MD5/SHA1 sums for the files downloaded to ensure that the source code isn't tampered.

[techmaniack]

well but then it isn't feasible to check the code of each and every stuff, especially when it is Reputed...

[duh]

i used all ircd's except unreal, well, once i was proven right, else i been proven wrong again and again.
second, ircd, can be run as an ordinary user or inside chroot, so i dont think it can do serious damage if run as ordinary user or chroot.
and thirdly? we got selinux, grsecurity, apparmor, execshield, and rkhunter and chkrootkit and lsat and checksecurity and et al, iptables and snort, so you mean to say this rootkit was a wild one for so long w/o anyone knowing?
wierd.
i will go for freenode's dancer, or efnet's ratbox, or undernet's ircu, or ircnet's ircd, or even dal.net's bahamut, but never unreal, never liked it from start, kinda pissed me off.