Scary Stuff !
I’m curious just how far this backdoor reaches, so I created a simple bash script:
#!/bin/sh
INPUT_FILE="server.txt"
OUTPUT_FILE="irc_servers.txt"
for server in `cat $INPUT_FILE`; do
dig $server | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" >> $OUTPUT_FILE
done
Taking a sample of networks found anywhere on the internet (http://irc.netsplit.de/networks/) I was able to generate a list of IRC servers for scanning. Using my unreal_backdoor.nse script I was able to detect hundreds of IRC servers all with matching versions of the vulnerable software. This doesn’t mean that all the servers checked were vulnerable, but you can bet a high percentage were! Let me re-iterate, that’s possibly hundreds of servers just sat there waiting to execute any provided commands!
I would advise thoroughly checking your network for any servers running this software, as this is a HUGE security risk and very easy to detect and exploit.
Very Scary Stuff !