IRC server had backdoor in source code for months

Discussion in 'malware problems & news' started by ronjor, Jun 13, 2010.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    The H Security
  2. ronjor

    ronjor Global Moderator

  3. katio

    katio Guest

    From the second article:
    That's just wrong, completely wrong. We are talking about an IRC server. Server market share for Linux is a tiny bit higher than 2%, more like ~20-40% and growing. And even if, that argument has and will always be flawed.
    Secondly Linux got probably more defenses than any other OS, it could be easier and user/admin friendlier but it's there if you need and want it. I'm talking about SELinux, Appamor, grsecurity, PaX, chroot, OpenVZ, Xen, samhain, chkrootkit, rkhunter, iptables, snort, OSSEC and there's a lot more.

    Sticking to pgp signed official repos is the first step. That usually guarantees some level of auditing, peer review and security against tampering from the outside. When compiling software from source you got to trust the maintainers and the security of their server or else check the source code yourself which often isn't very practical. But you can always isolate and monitor software from untrusted sources with some of the "defenses" I mentioned above.

    When it comes to Linux Desktops it's a bit more tricky and security through obscurity is helping still. Some if not most of these tools require in depth knowledge, were designed for server threat vectors and often don't work too well with large graphical applications all running under the same user.
  4. This isn't about the security of the software involved, it's about grotesque human error. For all we know UnrealIRCd might have been the most securely programmed IRC server out there. Only problem is, the developers dropped the ball and didn't realize they'd been hacked.

    It does raise a few questions about the Linux repository system though. I mean, how would Linux distro maintainers recognize that so-and-so software had been tampered with?

    (It applies to Windows too, though not quite so badly because Windows doesn't have repos full of third party software. But still - how do you recognize if e.g. the Irfanview website gets hacked and the good version replaced with a malicious rootkit-containing one? If you ask me, this is an argument for all software maintainers to use a HIDS, or somesuch.)
  5. chronomatic

    chronomatic Registered Member

    The issue here is not Linux, per se, but that certain protocols were not followed by both the upstream developers of the IRC server and by the Gentoo package maintainers. The upstream devs did not sign their packages (a huge no-no), and the Gentoo repo maintainers allowed an unsigned tarball to be placed into the repos. Both are huge no-no's, and frankly I am shocked Gentoo was so lax.

    Now, whoever said "a huge number of Linux systems are pwned" is a moron. I checked the Ubuntu repos and this package is not even offered at all. Since Ubuntu is, by far, the most used distro, it is fair to assume very few people are affected.
Thread Status:
Not open for further replies.