FD: Devil Linux 1.2.10 has an IRC bot onboard [False Accusation]

this just hit full-disclosure:

hi!

while building and testing a customized version of devillinux router
distro i found an irc bot onboard. as far as i understood, it was
energymech compiled from source right there plus some executable named
“todo” (for camouflage purposes). the stuff unfolds at /shm/sshd/ and
runs somehow. sadly, i had no time for detailed investigation. it leaves
an overall impression of script kiddie’s work.
last days devillinux website seems to be dead.

victor grishchenko
digital channels network
yekaterinburg, russia

update from the botnets mailing list at whitestar:

thu 19th oct,2006 – false accusations about irc bot in devil-linux 1.2.10
author – heiko
hi victor, victor grishchenko plotinka.ru> writes: > while building
and testing a customized version of devillinux router > distro i found
an irc bot onboard. as far as i understood, it was > energymech
compiled from source right there plus some executable named > “todo”
(for camouflage purposes). the stuff unfolds at /shm/sshd/ and > runs
somehow. sadly, i had no time for detailed investigation. it leaves >
an overall impression of script kiddie’s work. > last days devillinux
website seems to be dead. i am the project leader of devil-linux.
first of all our website is up and was not down at any time. i don’t
know how this bot got on your system, but what you’re writing does not
make any sense. 1. there’s no bot included in the dl sources 2. i can
never have been compiled on a running dl system, because there are no
compilers included. 3. it can only have been introduced (compiled from
source as you say) if the machine you compiled dl on, was compromised.
4. the location you specify (/shm) is a ramdisk. so it must be copied
onto the system after it boots up. this can only be the case if you
have the system wide open and somebody can log in easily. 5. i
verified the official 1.2.10 release and there’s no bot to be seen. so
it seems the problem does not like with devil-linux, but rather with
your own system. please stop spreading accusations like this,
especially without properly analyzing the issue first. regards heiko
zuerker http://www.devil-linux.org
#####################

http://www.devil-linux.org/news/index.php?item=1976

gadi evron,
ge@beyondsecurity.com.

Share
  • noroot

    I just downloaded from source forge the file and can’t find what he mentions, TODO that is an executable… where exactly did you get the file from? where did you find this TODO file?

  • http://www.devil-linux.org Heiko Zuerker

    Hi,

    I’m the project leader of Devil-Linux and would like to respond to this false accusation.

    Here is the email response I sent to Victor:

    ———————————-

    Hi Victor,

    Victor Grishchenko plotinka.ru> writes:
    > While building and testing a customized version of DevilLinux router
    > distro I found an IRC bot onboard. As far as I understood, it was
    > EnergyMech compiled from source right there plus some executable named
    > “TODO” (for camouflage purposes). The stuff unfolds at /shm/sshd/ and
    > runs somehow. Sadly, I had no time for detailed investigation. It leaves
    > an overall impression of script kiddie’s work.
    > Last days DevilLinux website seems to be dead.

    I am the project leader of Devil-Linux.
    First of all our website is up and was not down at any time.

    I don’t know how this bot got on your system, but what you’re writing does
    not make any sense.
    1. There’s no bot included in the DL sources
    2. I can never have been compiled on a running DL system, because there
    are no compilers included.
    3. It can only have been introduced (compiled from source as you say) if
    the machine you compiled DL on, was compromised.
    4. The location you specify (/shm) is a ramdisk. So it must be copied onto
    the system after it boots up. This can only be the case if you have the
    system wide open and somebody can log in easily.
    5. I verified the official 1.2.10 release and there’s no bot to be seen.

    So it seems the problem does not like with Devil-Linux, but rather with
    your own system.
    Please stop spreading accusations like this, especially without properly
    analyzing the issue first.

    Regards
    Heiko Zuerker
    http://www.devil-linux.org