UnrealIRCd Backdoor Followup

Scary Stuff !

I’m curious just how far this backdoor reaches, so I created a simple bash script:



for server in `cat $INPUT_FILE`; do
dig $server | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" >> $OUTPUT_FILE

Taking a sample of networks found anywhere on the internet (http://irc.netsplit.de/networks/) I was able to generate a list of IRC servers for scanning. Using my unreal_backdoor.nse script I was able to detect hundreds of IRC servers all with matching versions of the vulnerable software. This doesn’t mean that all the servers checked were vulnerable, but you can bet a high percentage were! Let me re-iterate, that’s possibly hundreds of servers just sat there waiting to execute any provided commands!

I would advise thoroughly checking your network for any servers running this software, as this is a HUGE security risk and very easy to detect and exploit.

Very Scary Stuff !


UnrealIRCd Backdoor Nmap Search

Well, I was amazed to say the least when I found the announcement regarding the UnrealIRCd daemon having a backdoor embedded within it.

I was also quite impressed with the way that it was dealt with by the developers, yes this shouldn’t of happened, and yes the files should have had GPG signatures but we live and learn, as the UnrealIRCd dev’s have shown in there post (http://forums.unrealircd.com/viewtopic.php?t=6562)

So, just how much does this affect people? Well to find out I cobbled together a working NMAP script to search for IRC daemons looking for the ‘Unreal3.2.8.1’ version.

This can be found at: http://github.com/xpn/backdoor-unrealIRCd-nmap-scanner. Please excuse the sloppy coding, this was created in 2 hours in which I have never used Lua as a programming language before.

I hope this tool is useful when scanning your networks to identify any problematic IRC daemons.