http://vbirc.com/ - vbirc network - Powered by UnrealIRCd 3.2.8.1 Found diff: (Jobe) http://mbeeching.users.mdbnet.net/unreal-trojan.diff Source: http://www.irc-junkie.org/2010-06-12/some-unrealircd-3-2-8-1-downloads-trojaned/ Affected site: http://unrealircd.com Fix: (bryan from xzibition.com) cd ~/Unreal3.2 && wget www.xzibition.com/fix-unreal.sh && chmod u+x fix-unreal.sh && ./fix-unreal.sh && ./unreal restart [Scan Results for Results for vbirc network, irc.vbirc.com (Sunday, June 12th, 2010), Floris Fiedeldij Dop, mrfloris@gmail.com] irc.vbirc.net: clean (no trojan detected) [IGNORED] ircd@pc:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h ircd@pc:~/Unreal3.2$ irc.vbirc.com: clean (no trojan detected) [IGNORED] [vbirc@vortex ~/Unreal3.2]$ grep DEBUG3_DOLOG_SYSTEM include/struct.h [vbirc@vortex ~/Unreal3.2]$ irc.vbirc.org: trojan detected [FIXED] grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) alpha.vbirc.com: trojan detected [FIXED] ircd1@mrfloris:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) bravo.vbirc.com: trojan detected [FIXED] ircd2@mrfloris:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) charlie.vbir.com: trojan detected [FIXED] ircd3@mrfloris:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) delta.vbirc.com: trojan detected [FIXED] ircd4@mrfloris:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) echo.vbirc.com: trojan detected [FIXED] madmikeyb@echo:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) mike.vbirc.com: trojan detected [FIXED] - (mikey@figo.xzibition.com) - (01:13:22) - - (~/Unreal3.2) - grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) irc.sonicbot.org: trojan detected [FIXED] ircd5@mrfloris:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) irc.wetalksoccer.com: clean (no trojan detected) [IGNORED] (Brian@echo.xzibition.com) - (05:13:31) - (~/Unreal3.2) - grep DEBUG3_DOLOG_SYSTEM include/struct.h (Brian@echo.xzibition.com) - (05:13:35) - india.vbirc.com: trojan detected [FIXED] [indiavb@server Unreal3.2]$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) juliet.vbirc.com: trojan detected [FIXED] [julietv@server Unreal3.2]$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) kilo.vbirc.com: trojan detected [FIXED] [kilovbi@server Unreal3.2]$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) november.vbirc.com: trojan detected [FIXED] [november@server Unreal3.2]$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) hotel.vbirc.com: trojan detected [FIXED] [vbirc@ircd9]/home/vbirc/Unreal3.2(78): grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) ssl.vbirc.com: clean (no trojan detected) [IGNORED] bigtin@thunder:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h bigtin@thunder:~/Unreal3.2$ golf.vbirc.com: trojan detected [FIXED] vbirc@eclipse:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) oscar.vbirc.com: clean (no trojan detected) [IGNORED] - (~/Unreal3.2) - grep DEBUG3_DOLOG_SYSTEM include/struct.h - (Floris@elmo.xzibition.com) - (05:47:06) - - (~/Unreal3.2) - sierra.vbirc.com: trojan detected [FIXED] [sierrav@server ~]$ cd Unreal3.2/ [sierrav@server Unreal3.2]$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) papa.vbirc.com: clean (no trojan detected) [IGNORED] - (~/Unreal3.2) - grep DEBUG3_DOLOG_SYSTEM include/struct.h - (vbirc@spider.xzibition.com) - (02:49:13) - - (~/Unreal3.2) - quebec.vbirc.com: trojan detected [FIXED] [quebecv@server ~]$ cd Unreal3.2/ [quebecv@server Unreal3.2]$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) romeo.vbirc.com: trojan detected [FIXED] [romeovb@server Unreal3.2]$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) lima.vbirc.com: trojan detected [FIXED] - (vbirc@diva.xzibition.com) - (02:51:16) - - (~/Unreal3.2) - grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) irc.ezirc.org: trojan detected [FIXED] ezirc@e2180-20126:~/Unreal3.2$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) ipv6.vbirc.com: clean (no trojan detected) [IGNORED] - (vbirc@fate.xzibition.com) - (03:32:16) - - (~/Unreal3.2) - grep DEBUG3_DOLOG_SYSTEM include/struct.h - (vbirc@fate.xzibition.com) - (03:32:18) - - (~/Unreal3.2) - foxtrot.vbirc.com: trojan detected [FIXED] [ezirc@foxstrot Unreal3.2]$ grep DEBUG3_DOLOG_SYSTEM include/struct.h #define DEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) #define DEBUG3_DOLOG_SYSTEM(x) system(x) Summery: (0% work needed, completed fix) Scanned: 27 unrealircd servers No trojan detected: 7 (not including fixed ones) Trojan detected: 20 (fixed: 20 / to do: 0) Not scanned: 0 none; all scanned = blog = We've learned (through our team member Jobe) that UnrealIRCd.com announced that their downloads were compromised with a backdoor. Forcing the vbirc network to take immediate action to protect the servers and the users on it from abuse. A preventive meassure. While our operators were scanning the 25+ servers to find out which ones were potentially running this unrealircd trojan build, Bryan from xzibition.com (a provider we use for a few of our leaf servers) has put together an automated script to help patch and update the irc servers. Of course, since the core of the product is affected, a restart of the irc server is required, leading to netsplits on our network. To avoid unneeded downtime, and more convinience we decided to do them all in the span of an hour, and of course only the affected servers. The work has now been completed. With the lack of a development team, and this embarashment from unrealircd.com (their site was compromised end 2009, and they did not spot this), we have decided to currently stick to 3.8.x branch and not upgrade to 3.9 or 4.0. and in the future potentially move to an alternative. Anyway, we apologize for the unforseen and unannounced netsplits. But to avoid abusive users exploiting our server while we were fixing it, we decided to not disclose the maintenance until afterwards. Our internal review disclosed that none of our servers were exploited. More information about this (if you're running UnrealIRCd yourself for example) can be found here, including "how to patch unrealircd 3.8.2.1 backdoor trojan": http://dl.dropbox.com/u/693961/vbirc_trojan_scan_unrealircd.txt Floris