I was surprised this morning (not the good kind of surprise mind you) with some rather malicious-looking computer activity on my system
I woke up to see that my computer, a PowerMac G5 Dual-Proc 2.7 Ghz, was apparently accessed remotely via a foreign host last night. Azareus, Firefox had been downloaded, and were open. Additionally, about half a dozen torrent files had been downloaded to the desktop (Greys Anatomy, Cold Case Files, Bum Fights). Some of these torrent files had apparently been started. Additionally, the website http://www.torrentleech.org had been opened, showing that a user by the name of power3 was logged in. A Firefox window was opened with three tabs that appeared to be the submission of torrent files for seeding. Alarmed for obvious reasons, I opened the console and network utility to see what was what.
First though, a bit about my particular network environment--I connect to the Internet via a Cox Communications cable Internet connection (which I recently upgraded to the premium-speed service). I use an Airport as my network router, with a Netgear 10/100/1000 Hub in between that and my computers. This computer specifically operates with two network connections operational: Airport and Ethernet. It normally connects through the Ethernet connection, as it is the faster of the two. This computer is setup as a DMZ, but also has the firewall enabled with only a few selected ports opened.
A quick check of things (had to get to work) showed that starting on 3/11 OSXvnc had been started up remotely, and run on at least three different occasions over the weekend. The remote IP that did the connecting all three occasions was the same, and a ping and Traceroute showed that this IP was located (after a healthy 16 jumps via Traceroute) was located in Brazil. Now, I certainly dont know anyone in Brazil, let alone give out access to my computer. It seems to me that to do all of these things, someone would have had to get into my computer without authorization and get OSXvnc to start up at the very least. It also appears that they turned off my firewall and somehow operated under my user ID Definitely concerned, as such an action would seemingly allow a user do a whole lot more than just download torrent files
Now here is the best part, (or worst, depending on your viewpoint) I called Apple Tech Support, and they recommended I sent an email to Apple Security. So thats what I did. Apple Security then sends a cut-and-paste email response back to me suggesting that if I wanted support to contact Apple Tech Support. So, I called them again and managed to get elevated to a level II Product Specialist. At this point the specialist tells me that unless I have information on the specific method and vulnerability used to gain access into my system, its not their problem. He further specified that Apple had no interest in the matter unless that was the case, and to contact my local Internet provider. My jaw dropped at that point to say the least VERY disappointed with Apple about this one. Here I was all ready to pour over log files and access files and track down the vulnerability with them, and they APPARENTLY have no interest.
Well, at least we know there IS a remote vulnerability for Mac OS X out there. Anybody got any ideas on next steps?
I woke up to see that my computer, a PowerMac G5 Dual-Proc 2.7 Ghz, was apparently accessed remotely via a foreign host last night. Azareus, Firefox had been downloaded, and were open. Additionally, about half a dozen torrent files had been downloaded to the desktop (Greys Anatomy, Cold Case Files, Bum Fights). Some of these torrent files had apparently been started. Additionally, the website http://www.torrentleech.org had been opened, showing that a user by the name of power3 was logged in. A Firefox window was opened with three tabs that appeared to be the submission of torrent files for seeding. Alarmed for obvious reasons, I opened the console and network utility to see what was what.
First though, a bit about my particular network environment--I connect to the Internet via a Cox Communications cable Internet connection (which I recently upgraded to the premium-speed service). I use an Airport as my network router, with a Netgear 10/100/1000 Hub in between that and my computers. This computer specifically operates with two network connections operational: Airport and Ethernet. It normally connects through the Ethernet connection, as it is the faster of the two. This computer is setup as a DMZ, but also has the firewall enabled with only a few selected ports opened.
A quick check of things (had to get to work) showed that starting on 3/11 OSXvnc had been started up remotely, and run on at least three different occasions over the weekend. The remote IP that did the connecting all three occasions was the same, and a ping and Traceroute showed that this IP was located (after a healthy 16 jumps via Traceroute) was located in Brazil. Now, I certainly dont know anyone in Brazil, let alone give out access to my computer. It seems to me that to do all of these things, someone would have had to get into my computer without authorization and get OSXvnc to start up at the very least. It also appears that they turned off my firewall and somehow operated under my user ID Definitely concerned, as such an action would seemingly allow a user do a whole lot more than just download torrent files
Now here is the best part, (or worst, depending on your viewpoint) I called Apple Tech Support, and they recommended I sent an email to Apple Security. So thats what I did. Apple Security then sends a cut-and-paste email response back to me suggesting that if I wanted support to contact Apple Tech Support. So, I called them again and managed to get elevated to a level II Product Specialist. At this point the specialist tells me that unless I have information on the specific method and vulnerability used to gain access into my system, its not their problem. He further specified that Apple had no interest in the matter unless that was the case, and to contact my local Internet provider. My jaw dropped at that point to say the least VERY disappointed with Apple about this one. Here I was all ready to pour over log files and access files and track down the vulnerability with them, and they APPARENTLY have no interest.
Well, at least we know there IS a remote vulnerability for Mac OS X out there. Anybody got any ideas on next steps?
