IRC server had backdoor in source code for months - Update
The developers of the open source IRC server UnrealIRCd have had to report that the file servers of the project were compromised several months ago and the IRC servers code,
Unreal18.104.22.168.tar.gz was replaced by a version with a backdoor. The backdoor allows anyone to execute commands on the server running UnrealIRCd, with the privileges of the user running the IRC daemon, even if the IRC server is a hub or requires passwords to access it normally. According to the report, the version with the backdoor was apparently placed on file servers in November 2009, but remained unnoticed until now.
To ensure that there isn't a repeat of the incident, the developers say they plan to re-implement the PGP/GPG signing of releases; a later posting in the forums says this has now been implemented. The developers do note that only the one file,
Unreal22.214.171.124.tar.gz was affected; the Windows versions, earlier releases and the code in the CVS source code control system are unaffected. The advisory also contains details on how to check installations for the backdoor, with MD5 checksums for the "bad" and "good" versions of the archive or, if the archive is not available, a simple way to check the source code using grep.
On the heise online forums (German language link) an UnrealIRCd supporter has clarified the original statements about the intrusion. The supporter says that, since the source code tarball can be compiled on Windows, Windows users should also be concerned if they compile their own version of UnrealIRCd for Windows.
The contaminated source files have also found their way into the Gentoo Linux distributions repositories. The Gentoo package has already been updated with a non infected version (unrealircd-126.96.36.199-r1 ebuild) and is available, but some mirror servers are still carrying the old version. Details of how the systems failed on the UnrealIRCd server are not yet available because investigations are still ongoing.