-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Erik-Jan Bos)                      Index  :    S-94-21
Distribution  : World                                       Page   :          1
Classification: External                                    Version:      Final
Subject       : Trojan Horse in IRC Client for UNIX         Date   :  21-Oct-94
===============================================================================


CERT-NL has learned of a Trojan horse in some copies of ircII version
2.2.9, the source code for the Internet Relay Chat (IRC) client for
UNIX systems. Reports we have received thus far indicate that the
corrupt code was available as early as May 1994. The Trojan horse
provides a back door through which intruders can gain unauthorized
access to accounts of IRC users.  Intruders are actively exploiting
this back door. If you obtained ircII 2.2.9 from any site in May or
later, you may be vulnerable.

Because it is unknown how far the corrupt version of the IRC client has
propagated and because intruders may have corrupted other versions, the
CERT-NL recommends obtaining and installing ircII version 2.6.

Because no special privileges are needed to install and run the IRC
source code, any user on your system may have installed the corrupt
code. Thus, we also recommend that you inform your users of this
potential problem and its solution.

As we receive additional information relating to this advisory, we will
place it, along with any clarifications, in an APPENDIX file with the
same index number as this Security Advisory. CERT-NL advisories and
their associated APPENDIX files are available by anonymous FTP from
ftp.nic.surfnet.nl (see footer of this message). We encourage you to
check the APPENDIX files regularly for updates on advisories that
relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     A Trojan horse was found in some copies of the source code for
     the Internet Relay Chat client for UNIX systems, ircII version
     2.2.9.  Intruders are actively exploiting this Trojan horse.

     The Trojan horse creates a back door and enables intruders to
     gain unauthorized access to accounts of IRC users. If IRC is run
     from a system account, such as root or bin, the Trojan horse
     enables intruders to gain unauthorized access to the system
     account.  In addition, because it is possible to compile,
     install, and run IRC source code without special privileges, any
     user on your system may have installed corrupt code.

     The source code containing the Trojan horse was available from
     many FTP sites as early as May 1994 (at this time, we do not have
     a specific date).

II.  Impact

     Remote users can gain unauthorized access to any account running
     the IRC client, including a system account if it is running IRC.

III. Solution

     If you want to try to determine whether your copy of ircII
     contains the Trojan horse, perform a search on the IRC client to
     find the strings JUPE or GROK. For example,

        % strings /usr/local/bin/irc | egrep 'JUPE|GROK'

     If the strings JUPE or GROK are present in the IRC client, your
     source code may contain the Trojan horse. Keep in mind, however,
     that back doors can easily be changed to respond to other words,
     so you may be vulnerable even if you do not find JUPE or GROK.

     Thus, even if you believe that your IRC source code is clean, we
     urge you to install ircII version 2.6, the most recent version of
     IRC. Also, the maintainer of the code reports that version 2.6
     contains many bug fixes and extra portability.

     IRC source code is available by anonymous FTP from many locations,
     including the following:

        sungear.mame.mu.oz.au:/pub/irc
        alpha.gnu.ai.mit.edu:/ircII
        ftp.funet.fi:/pub/unix/irc/ircII
        coombs.anu.edu.au:/pub/irc/ircii

        File                  Size     MD5 Checksum
        --------              ------   -----------------------------
        ircii-2.6.tar.gz      366361   3FC5FBD18CB3E6C071F51FD8C6C59017
        ircii-2.6help.tar.gz  111733   D9D535B7A06BED2A2EA6676B20BDA481
        ircii-2.5to2.6-diff   19644    0C05C96B10CB87186BD921536AE3FDF2
       
IV.  Informing Users

     Because users may have installed IRC source code on their own, we
     recommend informing all your users about the Trojan horse and the
     new version of IRC.

     In addition, you may want to find any user-installed copies of IRC
     that may be vulnerable. If so, you could use the find command to
     locate these binaries. As an example, the following command will
     enable you to find all files named "irc" in a subdirectory of
     /usr/users:

	% find /usr/users -name irc -type f -print

- ---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Matthew Green for his 
assistance with this advisory.
- ---------------------------------------------------------------------------

CERT-NL wishes to thank The CERT Coordination Center for making this
information available.


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WGTSYjBqwfc9jEQJENwCgzl7sS/t17dtUUh6WkfoVQc3LyvcAn2nB
6zP2vr7w4liAyCrbwr4O6Xdo
=dTjR
-----END PGP SIGNATURE-----