Page 2 of 2

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Posted: Sun Jun 13, 2010 5:42 pm
by satmd
Please note: Windows users are at risk if they have compiled their copy by themselves from the trojaned .tar.gz. The only thing not affected is the pre-made installers.
The backdoor itself is working on *all* platforms!

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Posted: Mon Oct 11, 2010 2:06 pm
by Shouden
I just finished spending 40hrs reinstalling, reconfiguring, and recompiling my server due to a compromise. Previous to reinstalling, I had carefully traced the hack back to a particular user on my server. That user had no website, and only was running Unreal and Anope. I'm not sure how they escalated to root(I suspect the new udev exploit), but it does appear that Unreal was the source of entry into my server. They replaced a ton of binaries like ps, top, netstat, chattr, lsof, sshd. The files were replaced in such a fashion that I could not rename, move, or copy them. They were NOT set immutable. I could not even rename, move, or copy them in single user mode. I was able to rename the directory that contained the binaries(/usr/sbin, /bin, /usr/bin) and recreate the directory moving all other binaries back in place, then using yum to reinstall the compromised package. Hunting through my logs and timestamps, it appears my server was hacked in June. I only noticed it recently as the server started to not act properly. OpenSSH would refuse my connection sometimes.. then cPanel would not stay running. That was ultimately the final "weirdness" that caused me to really look into things and discover I was hacked.

I do see that you guys posted on your forums and despite the fact I read Slashdot nearly every day, I must have missed the day where this security bulletin was posted. I don't know if you guys sent out a notice via an email through these forums, but it would be nice if you guys had a low-traffic mailing list for people to join for cases like this.

The other thing I thought was odd.. you guys discovered your .tar.gz file was compromised for many months ago... yet there has been no new release? It seems to me the easiest method of ensuring everyone is running a non-compromised version(not everyone keeps the originals laying around), is to simply increment your version number to and put out the new version. I find it odd that after so many months(since last December when they compromised the mirror(s)) you haven't released even a small incremental version update. I know IRC servers don't exactly change source code very often, but I would figure you would do that as a courtesy to the people that use your app.

In this case, I did everything an admin would normal do to protect their server(I'm a SysAdmin at a datacenter and well-versed in hacked/exploited servers). You guys have already apologized, so I'm not looking for anything in return. However after spending so many sleepless hours rebuilding this server, now that I know where the source of entry is, I wanted to let you guys know that this situation did cause me and my customers quite a bit of angst.

Please continue to do what's necessary to protect your reputable application, for the sake of all our servers that use it. :) I'm still a firm believer your IRC server is the best out there.

thank you for your time & effort

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Posted: Mon Oct 11, 2010 3:17 pm
by Syzop
Thanks for sharing your story, sucks bigtime indeed.
As for not releasing a new version, this is simply because we don't have a new version that warrants a release yet (though we hope to release 3.2.9 in a few months), and the is nothing wrong with -- unless, of course, you downloaded the trojanized .tar.gz. And to be honest, we hoped we would have released 3.2.9 sooner.

The security breach was mentioned on slashdot, bugtraq, irc-junkie, other websites and 'real media' (even to the extend it got into open source bashing...).

As for a low volume mailing list for cases like this, yes, it exists, it's called unreal-notify and is linked from our support page and in the docs in the 'Security checklist'. We announce releases and security issues on that list, so it's very low volume. On a side note, this mailing list also contained the correct MD5/SHA1 checksum, it's just that nobody noticed that that one differed with the ones they were downloading. I can't blame anyone, as I didn't notice it myself either.
Anyway, I'll see if I can make the mailing list link a bit more prominent/visible, after all I think everyone who runs UnrealIRCd should be subscribed to that list :)

UPDATE: You now see some 'ad' (by lack of a better word) about unreal-notify in the 'You are now downloading' screen whenever you download a release, hopefully getting more people to subscribe.

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Posted: Mon Oct 11, 2010 3:53 pm
by Shouden

Thank you for your reply. I do appreciate that you guys tried everything you could to get the word out. And I certainly am glad you guys did the right thing and were very open about it with everyone. It is certainly on me for not double checking the md5 hash and apparently not being on the mailing list. :)

Thank you for making an effort to get the mailing list in a more visible place. I even looked after I made my forum post and couldn't find anything on your homepage about it(typically it'd be a small one-field html subscribe form). I think I'll go sign up now. :)

Thank you again for your hard work on this app and for sending me a reply.

Re: Some versions of Unreal3.2.8.1.tar.gz contain a backdoor

Posted: Sat Dec 25, 2010 10:06 am
by akin
Thanks very nice :)