Mac Hacked - Remote Vulnerability?

[Sunrunner]

Big update on this one. I did some additional digging and uncovered a few things:

A) It IS a user in Brazil who got into my system apparently for the purpose to UL/DL torrent files
B) That person is hacking another computer in my area as we speak
C) I got into two of that users "torrent website" accounts via cookies that were still resident in my system and here are some of the resulting bits of info (open pdfs in the attached zip). BTW, the IP address in the profiles is the one that person is hacked into right now, not their real one.

Still dont know how they got in, but at least ID is getting less-fuzzy.

 

[briangig]

It seems highly unlikely one could legitimately hack a machine to this extent using a vulnerability not yet warned by Apple and/or security companies. It seems more likely to me that someone somehow acquired your admin password.

If they did get his admin password, they still didnt have physical access to the machine, and if I understand the poster correctly, he didnt have SSH or Remote Login enabled, so how would the cracker have gotten in?

With all this talk about unpublished OS X security flaws, I don't doubt this story.


And yes, I know there was the honeypot set up a few days ago that never got hacked, but that doesnt mean anything..

 

[sk1985]

I'm surprise more people don't use WPA2 encryption and MAC address filtering together (WEB pass blows). Also I'd do what someone else here said and see what MAC addresses have been using your router (even with WEB pass people can still get on your network once your password has been cracked). More often than not you can see who's been accessing your WIFI. On a side not, I have no clue what hacked your mac. I seriously don't know if someone hacked you through your WIFI, but it doesn't hurt to have the added protection of better encryption and filtering on your network.

Also are you a torrent user (I know I am)? It really wouldn't surprise me if most if not all these torrent programs have massive security wholes. Same goes for programs like limewire and various other P2P programs. I could see getting on someone's machine that way, especially if you left these programs running or if someone has been messing around with these programs while you use them and they just waited for the right moment to hack you. Apple really can't do security checks on these kinds of programs.

 

[briangig]

Good info sunrunner..sounds like he is definetly in brazil, or at least works really hard to make himself look like he is. (but from the files he used on BT, sounds likely he is from brazil).

how do you know he has control of another persons computer?

 

[Sunrunner]

Good info sunrunner..sounds like he is definetly in brazil, or at least works really hard to make himself look like he is. (but from the files he used on BT, sounds likely he is from brazil).

how do you know he has control of another persons computer?

Because the profile on one of those sites indicates that he is currently logged on from an IP address in the area. Since I know he is not in the area, and that IP listed is on the same provider as me, one can logically conclude that it is another one down on his "IPs to visit" list from mine.

 

[Sunrunner]

I'm surprise more people don't use WPA2 encryption and MAC address filtering together (WEB pass blows). Also I'd do what someone else here said and see what MAC addresses have been using your router (even with WEB pass people can still get on your network once your password has been cracked). More often than not you can see who's been accessing your WIFI. On a side not, I have no clue what hacked your mac. I seriously don't know if someone hacked you through your WIFI, but it doesn't hurt to have the added protection of better encryption and filtering on your network.

Also are you a torrent user (I know I am)? It really wouldn't surprise me if most if not all these torrent programs have massive security wholes. Same goes for programs like limewire and various other P2P programs. I could see getting on someone's machine that way, especially if you left these programs running or if someone has been messing around with these programs while you use them and they just waited for the right moment to hack you. Apple really can't do security checks on these kinds of programs.

The programs that were used on my system were downloaded by the malicious user and then run. Pre-exising applications that I had on my system dont appear to have been used... only the ones they specifically downloaded.

 

[spacehog371]

The fact that the other IP is in your area says alot. That would have to be pure coincidence (since IP's are chosen randomely or semi-randomely and not geologically specific). Here is something that is more likely. They are driving around the area going in through peoples wireless connections.

 

[osprey54]

I hate to suggest fault on your part at all, but is it possible that your password was just easy to guess/bruteforce? Could it have been social engineered from you (i.e. a clever program asking for a password)?

I sincerely doubt he gained access through an OS X vulnerability because by the unprofessional trail of clues he left behind, it is hard to believe this guy would know any such unpublished OS X vulnerabilities, let alone how to exploit them properly if he did.

I recommend using some sort of 3rd party firewall in addition to the built in OS X one. Net barrier is one I use in particular.

EDIT:
IP addresses are assigned pretty geologically (especially if there is a specific provider who is popular in the area).

 

[Sunrunner]

I hate to suggest fault on your part at all, but is it possible that your password was just easy to guess/bruteforce? Could it have been social engineered from you (i.e. a clever program asking for a password)?

I sincerely doubt he gained access through an OS X vulnerability because by the unprofessional trail of clues he left behind, it is hard to believe this guy would know any such unpublished OS X vulnerabilities, let alone how to exploit them properly if he did.

I recommend using some sort of 3rd party firewall in addition to the built in OS X one. Net barrier is one I use in particular.

The passwords I use are strong passwords (>9 digits, special symbols, numbers, capitol & lowercase and no words, all in the same pw). Also, I never use the same password on two systems or accounts. So no, I HIGHLY doubt the "got-my-password" idea. Also, the guy is in Brazil, so he likely doesnt care if he leaves a trail.

 

[spacehog371]

I'm saying he wouldn't have a list of IP's of a specific area... there would be no reason for the guy to stick in the same area geologically if he was in brazil or whatever. HIGHLY UNLIKELY

 

[briangig]

Can you confirm you didnt have SSH and remote login enabled? Even if he knew the password, without physical access the cracker wouldnt have been able to do anything.

The fact that the other IP is in your area says alot. That would have to be pure coincidence (since IP's are chosen randomely or semi-randomely and not geologically specific). Here is something that is more likely. They are driving around the area going in through peoples wireless connections.

They probably have the same ISP, probably scanned a certain subnet. maybe sunrunner can confirm if the first few digits are the same?

 

[Sunrunner]

Can you confirm you didnt have SSH and remote login enabled? Even if he knew the password, without physical access the cracker wouldnt have been able to do anything.


They probably have the same ISP, probably scanned a certain subnet. maybe sunrunner can confirm if the first few digits are the same?

Yes, they are.

 

[WolfJLupus]

How do you know the person is in Brazil for sure? (publicproxyservers.com)

I would suspect the person in your IP range to be a potential suspect because the person likely got into your network via wireless.

What service did you have open SSH? Which ports?

Do you use the same password you use to connect to the router as your main account password, or otherwise any websites you frequent?

If your wireless connect is open for anyone to join then they may be able to man in the middle your router which they can collect passwords from... I'm not 100% sure this is possible to do on a Airport, but I'm very cautious on who I allow physical access to my network because man in the middle is too easy to pull off by being connected to my (autosensing) switch, which is why I make sure to use SSL on most of my internet connections.

But if he got your user name and pass and could gain access to your wireless network, then he could do anything if you left any openings for him, like SSH.

 

[ChrisBrightwell]

"Stealth mode" in firewalls is kind of dubious. All it really does is advertise that a firewall is running.

Actually, stealth mode doesn't answer connection requests, so the requesting machine has no idea if there's even a machine there.

Refusing connections advertises your firewall, but not "stealth" mode.

 

[iMeowbot]

Actually, stealth mode doesn't answer connection requests, so the requesting machine has no idea if there's even a machine there.

That's what gives it away. You get no response instead of no route to host. Any open ports will respond normally (which they kind of have to do to be of any use at all).

 

[WolfJLupus]

Also...

Lets not forget that you might have potentially opened a trojan if you download from P2P clients.

 

[osprey54]

Can you affirm that you did not get social engineered?

And also the guy would care about leaving a trail, because if he was caught it would mean that he would lose an available computer, potentially get hacked back, have his info exposed (like how you got access to his torrent account), and possibly be the target of a high level investigation.

If you give me his IP, I can try to see what I can do

 

[dr_springfield]

What version of OS X are you running?

 

[trainguy77]

Couple things guys, who really give a hoot if it was wireless. As since he is in the DMZ ALL PORTS go to the computer anyway. He is using the built in firewall. Which still is in use for wireless access. Second of all I would report this IP to the ISP. What is the IP address? From that we can track down if it’s a proxy. And if not report it saying it has been compromised or is the hacker.

 

[Sunrunner]

Ok lets try to anwser a bunch of the questions here...

I am running 10.4.5 with all the latest patches (this incident occured beofre the 2006-002 Seurity Update however).

We can also RULE OUT the idea that A) Access was gained via a wireless protocol, or B) That my username/pwd was gained via social engineering.

The account password and all other passwords are NOT the same, including that for the router. The two torrent website accounts that I accessed (and subsequently blew away) via the cookie trail the idiot left behind pretty much confirms that the person is resident in Brazil.

ALSO, the IP the person originated from was 200.181.178.192

 

[mikeyredk]

Did you have anything to drink last night?

 

[yojitani]

This doesn't contribute to solving your problem, but may other MR members: how do you find out when your computer was accessed and which programs were opened remotely?

YOJ

 

[Detlev]

I'm surprise more people don't use WPA2 encryption and MAC address filtering together (WEB pass blows). Also I'd do what someone else here said and see what MAC addresses have been using your router (even with WEB pass people can still get on your network once your password has been cracked). More often than not you can see who's been accessing your WIFI. On a side not, I have no clue what hacked your mac. I seriously don't know if someone hacked you through your WIFI, but it doesn't hurt to have the added protection of better encryption and filtering on your network.

How do you check if someone has been using your router or AirPort Base Station?

 

[Seasought]

What ports are open (if any) on this machine throughout the day and night? This box is on all the time, correct?

A brute force type of scenario seems plausible if this is the case.

Have you done any hunting for scripts on your box he may have left behind?

Have you tried counter-attacking him?

 

[GFLPraxis]

The airport IS active for wireless connections, but the configuration is set up so that the network is WEP encrypted. That doesnt appear to be the issue though regardless (unless someone in Brazil has a VERY high-gain antenna).

He was almost certainly using a proxy. Very easy to do. Essentially all the packets he sends go through the proxy server in brazil, then to you, so it appears that he's in Brazil.

I know I would, if I were a hacker.

EDIT: nevermind, already been said.