Ubuntu irssi 0.8.12-4ubuntu2

Benjamin Rubin bnrubin at ubuntu.com
Sun Oct 12 13:08:29 BST 2008 

There are two distinct issues that manifest themselves when connected
to an IRC server over port 6667.  The DCC <some string> problem
appears to affect users who have certain Netgear, Linksys and D-Link
routers.  The other 'startkeylogger' problem affects people with a
Norton firewall product.  At one point in time, these examples would
have been evidence of some sort of virus activity, which is what these
firewall/router manufacturers are apparently responding to (I'm not
sure how temporarily dropping a network connection would fix such
things...).  As such, there is a distinct lack of documentation around
the issues, since these companies appear to think that these are
features, not bugs.

Some more recent router firmwares (although I could not tell you what
versions) resolve the issue.  In addition, connecting to IRC on a port
other than 6667 can also 'fix' the problem.

The main Ubuntu support channel, #ubuntu on freenode, has on average
about 1,300 people in it at any one time.  When this 'exploit' is
triggered, a fair amount of people lose their connections at once,
creating excess traffic in an already busy channel.  We have an
automated system that 'quarantines' these affected users until they
can fix the issue on their side.  They are also automatically tested
by a system of bots and then let back into #ubuntu if they pass the
test.  Hopefully by reducing the number of users affected by each
exploit attempt, we reduce the chances of being targeted in the
future.


Note:
I'm not exactly sure why Colloquy responds the way it does to this
issue.   Also, its not only #ubuntu that has the issue, its just that
as a large channel we get targeted the most.

Sources:
http://www.hm2k.com/articles/startkeylogger
http://securityresponse.symantec.com/avcenter/attack_sigs/s20713.html
https://help.ubuntu.com/community/FixDCCExploit

Benjamin Rubin


On Sun, Oct 12, 2008 at 7:19 AM, Matt Zimmerman <mdz at ubuntu.com> wrote:
>
> On Wed, Oct 08, 2008 at 04:15:27PM +0200, Gerfried Fuchs wrote:
> >         Hi!
> >
> >  Thanks for the (indirect because of my Debian PTS derivates
> > subscription - direct would had been much more appreciated) notification
> > about this router bug:
>
> I haven't seen a response on ubuntu-devel yet, so I'm CCing the person who
> actually uploaded this change (does this information not make it to the
> PTS?) for comment.
>
> I'm also copying the security team, as there's no CVE reference here and I
> can't tell whether there's a more general issue which needs to be addressed.
>
> > * Ubuntu Merge-o-Matic <mom at ubuntu.com> [2008-10-07 19:43:37 CEST]:
> > > Launchpad-Bugs-Fixed: 263259
> > > Changes:
> > >  irssi (0.8.12-4ubuntu2) intrepid; urgency=low
> > >  .
> > >    * debian/patches/90irc-ubuntu-com.dpatch: Changed irc.ubuntu.com's
> > >      default port to 8001 to avoid DCC exploit (LP: #263259).
> >
> > <https://help.ubuntu.com/community/FixDCCExploit>
> >
> >  Though, it makes me wonder about several things:
> >
> >  -) Is this a freenode only specific issue? If not, why does the page
> > only list freenode? I can understand that it's the most important for
> > Ubuntu because irc.ubntu.com points there, but would changing the
> > default port for OFTC to 7000 (as documented on their page as
> > alternative) work here, too? I tried to update the page with respect
> > to that, but I'm not too sure what port(range) the buggy routers are
> > checking.
> >
> >  -) Isn't switching it per default for all users propably causing more
> > troubles for firewall admins and similar than it solves? How common are
> > these buggy routers?
> >
> >  -) Why would changing the client be a fix when it's related to the port
> > one connects to? It's not really clear here wether Colloquy is affected
> > in itself even without a buggy router, but I guess that's what is meant
> > here?
> >
> >  Given any deeper insight and answers might help me trying to figure out
> > how sever it really is and wether this change should be applied to
> > Debian in a timely manner, too (and wether I/we should dig further for
> > alternative ports of other networks listed in the IRC clients).
> >
> >  Thanks,
> > Rhonda
> > P.S.: I'm not subscribed to the list but will try to follow the archive.
> >    Thus it would be kind if you could Cc me on replies.
> >
> > --
> > ubuntu-devel mailing list
> > ubuntu-devel at lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>
> --
>  - mdz
>
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

More information about the ubuntu-devel mailing list