ircII FTP tarball enabled remote access

The 1998 ircII incident followed the old pattern: the source archive lived on a trusted FTP site, and the attacker changed the archive in place. Users who fetched ircii-2.8.2.tar.gz from ftp.irc.org or mirrored paths could receive source that looked normal until it was compared with known-good copies.

The malicious change was narrow. The record identifies ircd/s_bsd.c as the modified file. That matters because source-level changes in network code can survive review by habit: the file is expected to contain socket and connection handling, and a small backdoor can hide among ordinary control flow.

The impact was remote access after installation. The attacker did not need to reach every host directly. The distribution path carried the code to administrators, who compiled and installed it inside their own trust boundary.

CERT’s later 1999 material treated these cases as part of a larger pattern: central FTP archives were easy to mirror and hard to authenticate. For ircII, as with tcp-wrappers and util-linux, the practical defense was checksum comparison, fresh trusted source, and distrust of archive timestamps.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• CERT Advisory CA-1999-01: Trojan horse version of TCP Wrapperscert.org
• Geocrawler archive: ircII 2.8.2 distribution modifiedweb.archive.org