ircII source installed account backdoor

In October 1994, CERT warned that some copies of the ircII 2.2.9 UNIX client source contained a Trojan horse. The corrupt source had been available from many FTP sites as early as May, although CERT did not have a specific first date. Because ircII could be compiled and installed without special privileges, the compromised boundary was not only a central administrator's package tree; any user might have built the poisoned client locally.

The delivery was ordinary source distribution. Users fetched an IRC client from FTP sites, compiled it, and ran it under their own accounts. The malicious change rode inside that source tree; the trusted action was the build.

The backdoor gave remote intruders access to accounts running the IRC client, and CERT said exploitation was already active. The advisory suggested searching binaries for the strings JUPE or GROK, but warned that backdoor words could be changed and urged sites to install ircII 2.6 instead. In the language of early Internet trust, this was a userland source tarball becoming a quiet door into real shell accounts.

The scope was awkward because the distribution path was informal by modern standards. CERT could say the bad source had appeared on many FTP sites, but not exactly when each copy changed hands. That left administrators with a provenance problem: find every locally built ircII binary, assume string checks were incomplete, and replace the client from a known-good release.

Motive

Unauthorized Access Control

Cause

Compromised Infrastructure

Transitive

No

• The start date is encoded as 1994-05-01 because CERT only gave "as early as May 1994"; the advisory date is 1994-10-19.

• CERT Advisory CA-94:14: Trojan Horse in IRC Client for UNIXstuff.mit.edu
• CERT Coordination Center 1994 Annual Reportsei.cmu.edu