Sunday, June 13, 2010

UnrealIRCd backdoored, investigation

UnrealIRCd is a great IRC server software (daemon) and very popular among mid-sized networks because of its highly advanced features and the fact that it is cross-platform (at least Windows/Linux fully supported).

Yesterday, bad news: some versions of Unreal3.2.8.1.tar.gz contain a backdoor because download mirrors have been compromised.. since november 2009! Read the official security advisory for more information. Other websites are reporting the issue, someone even provided a small shell script to fix the flaw: it basically reverts the changes with diff+patch, make clean & make again, so you just have to restart your IRCd. If you're running an UnrealIRCd you should double check your installation because some exploits are already widespread, as well as an NSE (Nmap Scripting Engine) script (seen on nmap-dev mailing list) to scan & kill IRC servers infected by the backdoor.

Oh and funny thing on Yahoo news and techworld (who seems to have copy/pasted yahoo news..):
The good news [...] is that the Trojan is in a game download so it should
have no bearing on Linux in a business setting.
Unreal is a popular first-person shooter game--similar to Doom or Quake.
No, Unreal is not UnrealIRCd. :)

As a curious person I wanted to know more about this backdoor, so let's investigate.

Sunday, June 06, 2010

Updated links, XMLStarlet

Just a small message to let you know that I have updated my links list. Big thanks to these good sites/blogs that I read regularly via their RSS/Atom feeds.

To create this list, I exported my subscriptions from Google Reader and used XMLStarlet to easily parse the XML.
for N in $(xmlstarlet sel -t -m '/opml/body/outline' -v "@title" -n $F); do
  echo "# $N"
  xmlstarlet sel -t -m "/opml/body/outline[@title='$N']/outline" -v "@title" -o '|' -v '@htmlUrl' -n $F
done > subscriptions
# manual edit to remove some things
grep -v '^#' subscriptions |sort |awk 'BEGIN{FS="|"} {if ($0!="") print "<a href=\""$2"\">"$1"</a><br />"}' > feeds.html
Some resources about XMLStarlet.

Update 2011: too many feeds to fit nicely on the blog so I removed it. If you are looking for feeds, check out infond's or eikonal's.