Some days ago I found in my IRC server, a couple of “weird” files in the /tmp directory, that obviously I did not create.
-rw——- 1 ircd ircd 17251 Jul 8 09:10 robot.txt
-rw——- 1 ircd ircd 17251 Jul 8 09:10 robot.txt.1
The content of these files was a malicious script.
The explanation about what does this script does can be reached at this link
unrealircd reported some days ago (June 12) in their forum the problem. Apparently someone changed the .tar.gz package in their mirrors for one that contained a backdoor (this happened in November 2009). This backdoor allowed any person to run any command with the privileges of the user running the service (this is still remember us that we must not run services as root) .
Someone exploited this bug in our IRC (irc.xterm.com.ar), but apparently nothing bad happened for us.
If you need to check if your unrealircd is compromised or not, you can try this with one of these two ways:
Verifying the MD5 checksum of the .tar.gz package:
(BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66
The other way, is change to the directory where we compiled the source code and then run:
grep DEBUG3_DOLOG_SYSTEM include/struct.h
If it outputs 2 lines, then you’re hacked.
if it outputs nothing, then you’re good.
The solution is re-download unrealircd and validate that it’s the good package by checking GPG or MD5/SHA1 checksum
May I continue using unrealircd? or do I need to move to a new one?