The developers of the open source IRC server UnrealIRCd have had to report that the file servers of the project were compromised several months ago and the IRC servers code, Unreal3.2.8.1.tar.gz was replaced by a version with a backdoor. The backdoor allows anyone to execute commands on the server running UnrealIRCd, with the privileges of the user running the IRC daemon,
.. even if the IRC server is a hub or requires passwords to access it normally. According to the report, the version with the backdoor was apparently placed on file servers in November 2009, but remained unnoticed until now.

To ensure that there isn't a repeat of the incident, the developers say they plan to re-implement the PGP/GPG signing of releases; a later posting in the forums says this has now been implemented. The developers do note that only the one file, Unreal3.2.8.1.tar.gz was affected; the Windows versions, earlier releases and the code in the CVS source code control system are unaffected. The advisory also contains details on how to check installations for the backdoor, with MD5 checksums for the "bad" and "good" versions of the archive or, if the archive is not available, a simple way to check the source code using grep.

The link for this article located at H Security is no longer available.