Bloomberg Anywhere Remote Login Bloomberg Terminal Demo Request


Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.


Financial Products

Enterprise Products


Customer Support

  • Americas

    +1 212 318 2000

  • Europe, Middle East, & Africa

    +44 20 7330 7500

  • Asia Pacific

    +65 6212 1000


Industry Products

Media Services

Follow Us

Bloomberg Customers


Download Sites Hacked, Source Code Backdoored

When source code to a relatively obscure, Unix-based Internet relay chat

(IRC) client was reported to be "backdoored" last month, security

professionals collectively yawned.

But last week, when three popular network security programs were reported

to be similarly compromised, security experts sat up and took notice.

Now, it appears that the two hacking incidents may have been related.

According to program developer Dug Song, the source code to the Dsniff,

Fragroute, and Fragrouter security tools was contaminated

on May 17th after an attacker gained unauthorized access to his site,

In an interview today, Song said affected users are being contacted, but he

declined to provide details of the site compromise, citing an ongoing


When installed on a Unix-based machine, the modified programs open a

backdoor accessible to a remote server hosted by RCN Corporation, according

to an excerpt of the contaminated Fragroute program posted Friday to Bugtraq

by Anders Nordby of the Norwegian Unix User Group.

In another posting to the Bugtraq mailing list last Friday, Song reported

that nearly 2,000 copies of the booby-trapped security programs were

downloaded by unsuspecting Internet users before the malicious code was

discovered May 24th. Only 800 of the downloads were from Unix-based

machines, according to Song.

Song's subsequent Bugtraq message said that intruders planted the

contaminated code at after successfully penetrating a machine

operated by one of the site's administrators. The attackers exploited

"client-side hole that produced a shell to one of the local admin's

accounts," wrote Song in his message.

The exploit code planted at was nearly identical to a backdoor

program that was recently slipped by attackers into the source code of the

Irssi IRC chat client for Unix.

According to a notice posted May 25th at, someone "cracked" the

distribution site for the IRC program in mid-March and altered a

configuration script to include the back door.

NEW PRECAUTIONS IMPLEMENTED. Installing the compromised Irssi program provided a remote server hosted by

FastQ Communications with full shell access to the target machine, said the

notice. Irssi's developer, Timo Sirainen, was not immediately available for


Today, the Web server at the Internet protocol address listed in the

backdoored Irssi code returned the message: "All your base are belong to


Meanwhile,, the collocated server listed in the backdoored code, today displayed the

home of the Niuean Pop Cultural Archive.

When contacted by SecurityFocus Online, the site's administrator, Kim

Scarborough, said he was unaware that the machine had been used by the remote exploit.

Scarborough reported that he completely reinstalled the server's system

software, including the FreeBSD operating system, on May 30th after

discovering evidence that someone had hacked into it.

According to Scarborough, he had installed the Irssi chat client on the

machine around May 17th at the request of a user.

The two security incidents have forced authors of the affected programs to

implement new measures to insure the authenticity of their downloadable


According to a page at

Irssi describing the backdoor, new releases will be signed with the GPG

encryption tool, and the author will periodically review the programs for


Song said that has implemented technology to restrict user

sessions, and that he is considering adding digital signatures to software

distributed at the site. By Brian McWilliams

blog comments powered by Disqus