Date: 15 Apr 2003 01:44:36 -0000
From: Rob Andrews <randrews@...inetworks.com>
To: bugtraq@...urityfocus.com
Subject: BitchX trojan, the real follow up.




Since Micha didn't take the time to post this email after it was passed 
along to himself and others on one of EFnet's oper lists I submit the 
following to explain what really happened to the BitchX website and DNS 
over the weekend.

I also would like to point out that in the future I may be contacted 
directly concerning any matters such as these as I am involved with nearly 
every person currently involved in the development and distribution of the 
source code.

I should point out that since I maintain the FTP site, people should know 
that the FTP site does not reside on the same systems as the web and dns 
for bitchx.org.  If in doubt at any time we have posted information on
http://faq.bitchx.org which tells users how to verify source and what the 
legitimate IP addresses for the current FTP servers are.  All current 
(except for CVS snapshot source code) source and binaries have been signed 
by me.  This information is available on the FAQ website as well.

---- Message as forwarded to all parties involved ----

Over the weekend the DNS for bitchx.org was directly changed by someone who
exploited a machine at 207.178.61.5 aka smtp1.wia.com and was releasing
source for ircii-pana-1.0c19.tar.gz which included in the configure script 
this:

sa.sin_addr.s_addr = inet_addr ("207.178.61.5");

Previously the DNS was poisoned to cause users to download from what would
normally appear to be a legitimate FTP site.  However in this case we
believe after contacting one of the admins for the machines that hosts the
DNS for BitchX.org that the actual machine itself may have been compromised
since the physical URL pointer on the website was pointed to 
ftp2.bitchx.org which goes to the previously mentioned IP address.

We have taken action to correct the website and the DNS is being handled.
The machine at wia.com however is still compromised and has distributed a
number of copies of the compromised source code.

I have called the NOC at accretive-networks.net and notified them of the 
machine in question.  As soon as I am able to I will post a notice to the 
proper mailing lists that have covered this issue and address them directly
so as to prevent this sort of thing from happening in the future without 
our being notified any sooner than we were later Saturday evening.


Thanks,


Robert Andrews
President
RELI Networks, Inc.
Atlanta, GA.
randrews@...inetworks.com


-- Followup:


X-Authentication-Warning: grmpa.com: www set sender to stevenb@...fe.net 
using -f 
Date: Mon, 14 Apr 2003 10:10:04 -0700 
From: Steve Breeden <stevenb@...fe.net> 
To: "" <noc@...retive-networks.net> 
Cc: "" <randrews@...inetworks.com> 
Subject: Re: [ACCR-NETOPS #33425] over the weekend.... (fwd) 
User-Agent: Internet Messaging Program (IMP) 3.2.1 / FreeBSD-5.0 

This machine (207.178.61.5) was taken offline Saturday evening and 
replaced.
It is no longer compromised as stated below.


Quoting Accretive Networks Abuse Department <noc@...retive-networks.net>:

> 
> 
> Mon Apr 14 09:55:29 2003: Request 33425 was acted upon.
> Transaction: Ticket created by abuse@...retive-networks.net
>        Queue: noc
>      Subject: over the weekend.... (fwd)
>        Owner: Nobody
>   Requestors: abuse@...retive-networks.net
>       Status: new
>  Ticket <URL:
> http://tracker.accretive-networks.net/Ticket/Display.html?id=33425 >
> -------------------------------------------------------------------------
> In case you didn't see this.
> 
> Accretive Networks Abuse Dept.
> http://www.accretive-networks.net/

-- 
Steve Breeden
support@...fe.net
Support Engineer
Accretive Networks
P.206.443.6401 ext 204
F.206.269.0188
For DNS requests:
dns-admin@...retive-networks.net
For Hosting-support:
hosting-support@...retive-networks.net

Powered by blists - more mailing lists