Forums Bug Reports Backdoor bug? Imposters able to post text as you.

Recently when I connected to irc.usachat.net with the new mIRC 6.03 and joined the #Lobby, my msg blocker blocked multiple messages from 3 users, but somehow they were able to make my mIRC client post and spam a kuwait website in the channel as if I said it. How in the hell is that possible? Due to this situation, I have stopped using mIRC until I hear about a fix for this. FYI - I run no scripts other than the standard script that comes with mIRC and a msg blocker that I coded myself. It's pretty much a raw mIRC 6.03.

Anyone else heard of this?

Its possible that something you downloaded/opened put a backdoor or trojan that is causing you to spam. First thing i would do is run a couple good virus scans, including one of the good free online ones that tend to be better at catching IRC related trojans, like housecall at www.trendmicro.com

I'd also double check your remotes to see if anything has been altered. You said it looked like you posted it, can you recall exactly what it looked like? (keep in mind its likely some trojan caused it)

there is also a mode +n/-n(external messages) if mode -n is on thn sum1 can clone your nicknam and send messages through it, the only solution is turning +n back on if thats what was causing it

They can't clone your nickname. IRC only allows one user to use a particular nickname at a given time. All -n does is allow people who are not in the channel to send messages to the channel, it has nothing to do with impersonation.

it will say, nicknameyoutriedtoclonehere nickname in use.
thats when you can send a message....

What are you talking about? Give me an example, because I'm 100% sure you're wrong.

BleachX, if you want to get rid of this, then I recommend joining channel #dmsetup and/or #mircfix on EFNet.

This sounds like a classic worm, possibly installed when you visited a website that was spammed to you, the same way you're spamming it to others now.

- Raccoon

say if your in a channel called %#example, and theres someone called blah, you type /clone blah, it should say nickname in use, then you type /msg %chan yourtexthere and it mode -n is on it sends the message through their nickname.

alias clone {
.set %chan $chan
/part %chan
/nick $1-
/join %chan
}

Uhh... no it doesn't.

uhhhhh it does on some servers

You should notify the server admins of a serious bug then, because that would never work in a million years on any decent server.

its not a serious bug......
mode n(external messages)

Any bug which allows someone to imitate someone else, even when it requires a commonly used mode to be unset, is still a serious bug.

for the servers that do allow that then, it is simple to write a script to tell which one is the clone, coz when this event does occur you get 2 addresses, then u can simply perform a who on both to see which is the clone.

I think you haven't a clue what you're talking about. Any server that does that is first off the worlds dumbest and lamest server around, and furthermore I doubt it even exists on any servers. So what server does it work on? Or are you going to do like in the other post when I asked for the server name you give me the server, but then when I try to connect you inform me that it is currently down...

it works on msn. it works on my m8s server,(the one u cudnt connect to) it works on irc.redfuse.org to name a few.

MSN is NOT IRC. And isn't it an odd coincidence? irc.redfuse.org doesn't work either!
[13:33] * Connecting to irc.redfuse.org (6667)
[13:33] * Unable to resolve server
[13:34] * Looking up irc.redfuse.org
[13:34] * Unable to resolve irc.redfuse.org

So lets see, you named one server thats not even an IRC server (it's IRCX) and 2 servers that just happen to either be down, or not even exist. Or when you said irc.redfuse.org did you really mean irc.digitalfuse.org (which is what www.redfuse.org says the IRC server is)? And well guess what? That server runs Unreal3.1.5.1-Valek which I happen to be the author of; and I know for a fact that it does NOT do what you described.

~ tidy trax ~ says:
whats the name of the server chris goes on again?
Admin_Appothis - [BA] says:
dunno
Admin_Appothis - [BA] says:

~ tidy trax ~ says:
;\
Admin_Appothis - [BA] says:
they closed down
Admin_Appothis - [BA] says:
lol
~ tidy trax ~ says:
;\

So basically it's exactly what I said, you can provide no proof of your claims at all.

ok.... well sorry for trying to help then;\ when this event has happened to me many times, i will still suggest it even if i am unsure of how many servers this is ok on;\

lol codemastr... I was scrolling down this thread, waiting for that to happen.

We actually run UnrealIRCD at usachat.net.
I have scanned my system with 3 different antivirus scanners and already have the latest Norton Antivirus Corporate Edition v8.1 with dat files dated 6/26/03 rev. 18 and I have no virus or trojan according to any of them. It totally blew me away when I saw that and got kicked from the channel with (Stop repeating!) from the actual owner of the server's script. LoL - I'll find out soon enough how those kids did it. Eventually, I'm sure I'll find a raw code that does it. I know it used to be able to be done on EFNet back in the day. Maybe someone just found that exploit on UnrealIRCD. We'll see..

You might try @debug, and when they send you the trigger again to make you do the event, look in the raw window at what you're sending. From there, do a search through your scripts with that text >:D

I haven't seen you in #dmsetup or #mircfix, so I'm guessing you've ruled out an mIRC script trojan/backdoor. This is what it most likely is.

Raccoon can u change ur location to something shorter pls? The left margin is expanded cause of it >:\

Your probably right. I remember when I was a newbie to IRC something similair happened to me. My nick name contained an uppercase I . And in the font i was using a number 1 looked exactly like an uppercase I. So under certain fonts nicks like this 'IDIOT' 'ID1OT' would look identical. The same goes for some other letters, like capital I and lowercase L.

If this issue turns out to be an exploit it might be best to discuss it with the people that code Unreal rather than post the exploit or any details of the exploit here. Alot of business enterprises depend on the inegrity of software and if anyone was to 'give away' any details before the software authors had a chance to patch (if necessary) then such exploits could prove to be extremely damaging.

Having said that, if an exploit exists then it is not necessarily the fault of the authors. Bored/unemployed teenagers have endless hours on hand to use to stuff things up and experiment for the wrong reasons so such events are inevitable.

Remember that it's only really an exploit if it is abused, otherwise it is just harmless code.

That's a very Microsoft way of looking at things.
"It's not a bug until a few thousand servers get taken off the internet, costing millions of pounds worth of damages. THEN we might create a patch" - Microsoft bugfix motto.

It's an everything way of looking at it. It's no different to a gun not being dangerous unless in the hands of a nutter. I'm not saying that holes shouldn't be patched, you missed the gist of my post completely. If you want to look at software with holes you should be looking at things like Sendmail before knocking Micro$oft.

Considering that Unreal is open source, and we have a guy who (claims) to be THE author (though I don't see him listed under /info or /credits), discussing bugs and exploits in a public forum is a surefire way to get them patched quickly... as anyone with relatively mediocre C skills could write a patch (if only to disable responsible commands).

We cannot be responsible for organizations that don't have an alert and ready response team standing by to handle Server Triage. Companies that don't properly allocate minds where they are needed, at the expense of the CEO's new Mercedes payments, should and will ultimately suffer. (Unfortunately, large companies simply claim inflated losses in order to recover quasi damages in tax write-offs)

- Raccoon

=-=-=-= Unreal3.2-beta17a =-=-=-=
| Brought to you by the following people:
|
| Head coders:
|
| * Stskeeps <stskeeps@see-below>
| * codemastr <codemastr@see-below>
No way of telling if that's the real codemastr, but his name is there..

Yes that is me, and just a minor favor, would you mind editting your post and remove mine (and Stskeeps') email addresses, I already get enough spam as it is.

The British had a saying in World War 2:

"Loose lips sink ships"

If people say things in the wrong arena then software patches need to be released ALOT quicker than normally anticipated.

As a coder, let me just say I HATE when people decide to discuss an exploit publically rather than contacting me. Reason is, by the time we hear about it we don't hear about it from people who actually know how the exploit works, we hear about it from people who are saying "someone crashed my server!!!" I'm not saying that exploits should be hidden from everyone, just saying that sometimes it's better to notify the right people before you go and tell everyone you know, because while you might have the proper ethics to know exploiting other people's software isn't a good thing, the people you told might not feel the same way.

irc.redfuse.org is back up.

because while you might have the proper ethics to know exploiting other people's software isn't a good thing, the people you told might not feel the same way.

I told them that or am I missing something?

he meant it figeratively.

sometimes it's better to notify the right people before [color:red]you go and tell[/color] everyone you know, because while you might have the proper ethics to know exploiting other people's software isn't a good thing, the people [color:red]you told[/color] might not feel the same way.

You could easily replace 'you' with 'they', etc.

I hope so cos I was supporting him.

I was doing the "too lazy to actually pick the correct person to respond to so just pick the last guy who said something" (tm) method

Fair enough, it happens at times.