Re: IRC script trojan with Unix based clients

Roger Espel Llima (espel@LLAIC.UNIV-BPCLERMONT.FR)
Mon, 02 Jun 1997 17:40:24 +0200

On Sun, Jun 01, 1997 at 11:20:40AM -0700, Leonid S Knyshov wrote:
> As of this moment, the only good sources for ircII scripts are at
> ftp://ftp.pimpz.org and ftp://bitchx.htoc.com

> You can trust the scripts from there.

pimpz.org has all of DeadelviS's archive, which is quite comprehensive
but not free (or meant to be free) of scripts with backdoors. For
example, running
ftp://ftp.pimpz.org/irc/DeadelviS/script/paks/toolz.irc, or
ftp://ftp.pimpz.org/irc/DeadelviS/script/paks/dreamscr_9.3.tar.gz is
equivalent to giving access to your shell account to everyone else on
IRC.

>From that directory, deturbo, superpak, uus and zer0 are the ones I'd
trust. Still, it's a bad idea to run a script you don't completely
understand.

I couldn't find a single script on the bitchx.htoc.com site, it appears
to be all about the BitchX client, source and binaries.

> Meanwhile, an ircII script can be as powerful as a shell, please check on
> http://www.undernet.org the important FAQ file how to detect ircII
> backdoors, I believe its also on pimpz.org ftp site.

I wrote that :)

http://www.eleves.ens.fr:8080/home/espel/irc-backdoor.faq
ftp://ftp.pimpz.org/irc/DeadelviS/misc/irc-backdoor.faq

it's a bit outdated, though.

> You might want to hack a client source a bit to disable DCC and/or CTCP
> commands. To be safe you can simply rename them adn retain the
> functionality.

The command to disable if you're concerned about security is EXEC,
mostly. CTCP is harmless, it just sends and reacts to messages with a
special marker. If you're paranoid, disable DCC SEND and DCC GET too,
but they're generally OK because they'll refuse to write to dotfiles.

DCC CHAT is an order of magnitude safer than that, but you can get some
versions of ircII to dump core by sending crap through a DCC CHAT, there
might be an exploitable buffer overflow somewhere there (although it's
most likely in the data segment).

Even if you remove EXEC, and whatever you do to the client itself
(unless you remove LOAD, but that's crippling it quite a bit), you can't
prevent people from loading backdoored scripts that will let other
people have "IRC access", i.e remotely control the client. From the
point of view of the system's security, though, as long as the backdoor
can't touch the shell, it's not too bad.

Roger

--
e-mail: espel@llaic.univ-bpclermont.fr, espel@unix.bigots.org
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html