XML/HTTP Interface
Shot in the dark but you don't have Azureus's XML/HTTP Interface plug in running do you ?
Shot in the dark but you don't have Azureus's XML/HTTP Interface plug in running do you ?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac Hacked - Remote Vulnerability?
- Thread starter Sunrunner
- Start date
- Sort by reaction score
Sunrunner said:
What ports were open? what was running on those ports. I see it was not ssh/rlogin/telnet but did you have port 80 (http) or FTP port(s) open. It would be easy to misconfigure eithe apache or ftp to allow a remote exploit
Why is your computer on a DMZ? What service(s) does it provide?
What non-apple software is installed? You could have a Trojan.
Don't a DMZ and a firewall rule each other out? I thought a DMZ allowed one computer to be outside the firewall.
Also, change your password on the machine, go into NetInfo utility and change the root password of the machine. Boot in single user mode if necessary.
Change his/her password on the torrent site. Serves him/her right.
Look into blocking more ports on your machine via the hardware firewall. Unless I missed this earlier in the thread, what does the machine do that requires it to be outside the firewall?
Also, change your password on the machine, go into NetInfo utility and change the root password of the machine. Boot in single user mode if necessary.
Change his/her password on the torrent site. Serves him/her right.
Look into blocking more ports on your machine via the hardware firewall. Unless I missed this earlier in the thread, what does the machine do that requires it to be outside the firewall?
ChrisA said:
Other than port 80, was open because this computer was a web server, ports 123 (time), 548 & 427 (file sharing), 5297 & 5298 (iChat), 3689 (iTunes), 8770 (iPhoto), 6970 - 6980 (quicktime), and 3283 & 5900 (ARD) were open. I know 5900 was used for the OSXvnc connection, but the initial exploit that gained remote access in the first place is unknown.
Also, little snitch was running on this end, but it seems that the user just added temporary rules while in my system to allow outbound connections to happen.
Sunrunner said:
That sounds like a lot of open ports for a computer sitting on the Internet. I would pull out your computer from the DMZ and set your router up to only forward the ports you really need to access from the Internet.
You certainly shouldn't need to server up port 123 over the Internet and as for file sharing, do you really access these from remote locations? If so I would consider setting up a VPN.
Sunrunner said:
ARD = Apple Remote Desktop?
Seems like the ability to use little snitch and various other programs might indicate that he could see your screen in this manner, rather than executing some type of script.
From http://en.wikipedia.org/wiki/Apple_Remote_Desktop:
Looks like ARD uses the VNC protocol then, which as people have already said could have been the point of entry. VNC isn't the most secure protocol, therefore you should ideally tunnel VNC through a VPN if you need to access it remotely over the Internet.
Looks like ARD uses the VNC protocol then, which as people have already said could have been the point of entry. VNC isn't the most secure protocol, therefore you should ideally tunnel VNC through a VPN if you need to access it remotely over the Internet.
Intresting
When i perform a lookup on this address it does have a phone number registerd, you could try call : http://samspade.org/t/lookat?a=200.181.178.192
I would suggest enabling logging on the airport as he has been fairly sloppy performing all this using vnc and your user, intelligent and if he indedd new your password then he would add another admin account to better hide himself.
When i perform a lookup on this address it does have a phone number registerd, you could try call : http://samspade.org/t/lookat?a=200.181.178.192
I would suggest enabling logging on the airport as he has been fairly sloppy performing all this using vnc and your user, intelligent and if he indedd new your password then he would add another admin account to better hide himself.
Sunrunner said:
Why have these open if you weren't using ARD or VNC? Also, you sure you don't have either VNC or ARD setup as a LaunchDeamon - if you do, they won't start until a request is made on that port - meaning all the guy had to do was guess your password (or use an automated method)...
Well there you have it, in my opinion. I've read the whole thread up to now and my single point of advice for you: close the ports for ARD/VNC, remove all traces of any VNC server program or anything related to it. Hell, close all the ports you're not using. But those ports jump out at me because they are compatible with various VNC offshoots, which give people the ability to basically just sit down at your computer if they can hack your password - or, for that matter, if your VNC access wasn't password protected, because to connect to that service you don't need your computer login/password. Only the authentication you set up for the service.
Using a computer as a web server and enabling remote visual access to it at the same time is kind of against common sense to me, but I suppose if it hadn't been brought to your attention in such a long time, you wouldn't have thought about it.
Although, I do think it would be funny to wait until he starts messing with your screen and then type something at him in textedit... lol.
Seriously though, close every port you're not using. Cannot emphasize this enough.
Using a computer as a web server and enabling remote visual access to it at the same time is kind of against common sense to me, but I suppose if it hadn't been brought to your attention in such a long time, you wouldn't have thought about it.
Although, I do think it would be funny to wait until he starts messing with your screen and then type something at him in textedit... lol.
Seriously though, close every port you're not using. Cannot emphasize this enough.
kingjr3 said:
What? What? I'm here!
IMO, the GUIfied controls for the ipfw2 are asstastic. You should REALLY learn to use it via the command line so you can really understand what you're doing and how you're protecting yourself. That being said, it's safer (again, IMO) to use a hardware firewall on a router. It's worth the money and the security.
In order to TRUELY make sure you're free and clear of installed trojans/backdoors, you need to wipe the drive and reinstall the OS. I wouldn't trust ANYTHING on that box right now. Nor wopuld I trust my backups. You have no idea when you were compromised and when the evildoer decided to get around to using you.
Choose new usernames and GOOD PASSWORDS. Don't enable root unless you absolutely need to.
All this being said, it doesn't seem like a 'professional' job to me, since a pro would want to cover his tracks.
Well put, Yellow. I didn't think to suggest that - usually I don't want to push the terminal on some people if it's not an aspect they're used to, since things could get easily messed up. But seeing as you're running a web server on that thing, Sunrunner, learning the terminal would be a Good Thing, and that's an understatement 
And heck no, this wasn't a professional. It would be a relatively simple thing to do given a couple of scripts and basic knowledge of which ports do what. Heck, I could'a done it. Not that I did or would, of course. From what I've read, it seems like a really stupid reason to take over someone's computer... running torrents on it. I'm not sure quite what he hoped to achieve, and how he thought he wouldn't be found out once someone... oh, I don't know... looked at the screen. Not to mention the cookie trail. Wardriving script kiddies, I tell ya.
And heck no, this wasn't a professional. It would be a relatively simple thing to do given a couple of scripts and basic knowledge of which ports do what. Heck, I could'a done it. Not that I did or would, of course. From what I've read, it seems like a really stupid reason to take over someone's computer... running torrents on it. I'm not sure quite what he hoped to achieve, and how he thought he wouldn't be found out once someone... oh, I don't know... looked at the screen.
Not to mention the cookie trail. Wardriving script kiddies, I tell ya.
Kuru Kuru said:
I think the point was to slowly download the torrents on the compromised computers and then directly (fast) download it to the compromiser.
However the fact that its visual and on the screen when the person comes home and most probally quickly shut down, it is pointless. Unless he had compromised a lot of computers.
Not to derail this thread, but is there any kind of Mac security "how to" guide to avoid these kinds of vulnerabilities? I've learned a lot by lurking in this thread.
I don't *think* my PM is open to attack (router firewall, refuse pings, only open specific ports at the router level) but, for example, I couldn't tell you if I have VNC/ARD enabled.
I don't *think* my PM is open to attack (router firewall, refuse pings, only open specific ports at the router level) but, for example, I couldn't tell you if I have VNC/ARD enabled.
ARD is found in System Preferences -> Sharing Prefpane. I think it started appearing automatically in Panther, if you're running Jaguar, you don't have ARD installed.
As for the "how to"? I don't know of one, but that doesn't mean it doesn't exist.
Use common sense. Change your password every 6 months, and use GOOD PASSWORDS. Don't open ports that you don't need. Don't allow yourself to be socially engineered. Don't download things from sources that are not known to be reputable to yourself. Don't install things that aren't known to be reputable or from a reputable source. Look into things like Tripwire to help you manage what is installed and what is being installed/changed. Get comfortable with the command line. And above all, learn all your can. The more you know, the more protected you will be.
But ultimately remember, unplugging our computer form the internet is the safest it will be from external exploits/cracks/hacks. So don't get too down on yourself if it does happen. It happens to the best, despite best practices.
As for the "how to"? I don't know of one, but that doesn't mean it doesn't exist.
Use common sense. Change your password every 6 months, and use GOOD PASSWORDS. Don't open ports that you don't need. Don't allow yourself to be socially engineered. Don't download things from sources that are not known to be reputable to yourself. Don't install things that aren't known to be reputable or from a reputable source. Look into things like Tripwire to help you manage what is installed and what is being installed/changed. Get comfortable with the command line. And above all, learn all your can. The more you know, the more protected you will be.
But ultimately remember, unplugging our computer form the internet is the safest it will be from external exploits/cracks/hacks. So don't get too down on yourself if it does happen. It happens to the best, despite best practices.
Don M. said:
Don M. - I don't know if this is what you are after, but here are a few good basic security guides:
The NSA put out a security guide for Mac OSX Panther, it can be found at:
http://www.nsa.gov/snac/downloads_macX.cfm?MenuID=scg10.3.1.1
Also Corsaire's guide is worth a look:
http://www.corsaire.com/white-papers/040622-securing-mac-os-x.pdf
Macintouch have some good resources:
http://www.macintouch.com/security.html
And if you want your brain addled Rixstep seem to be the way to go:
http://www.rixstep.com/2/20060311,00.shtml
Of course there are heaps more, but they may belong, as you said, in another thread!
My guess would be that it's a war driver or neighbor who was looking for bandwidth. It wouldn't make sense for someone really in Brazil to download the stuff to your computer, and then from your computer to his computer in Brazil.
Here's what probably happened:
Over the course of a couple of days of internet traffic they collected your WEP password with Kismet or equivalent, and were able to join your wireless network.
Some quick probing from there could tell them that your G5 was in the DMZ, so they could drop out of your network, get on another network at home or another exposed wireless network, use a proxy to make it seem like they were from Brazil, and over the course of a few days, brute force your password.
If your password was weak, it wouldn't have taken long at all, and then they would have been able to command your computer from "Brazil" through their proxy, make it download all the stuff they wanted over your very fast internet, and then hop onto your wireless connection and download it all to their computer very quickly.
I would say you should take your computer out of the DMZ, close all the ports you don't absolutely need, set up WPA encryption, MAC Address filtering, and make your external IP address unpingable.
Brute forcing takes time, however, which would indicate that it's a neighbor, someone who can leave their computer on running an attack.
Also, the guy may have enabled root and changed the password, might want to check into that.
Here's what probably happened:
Over the course of a couple of days of internet traffic they collected your WEP password with Kismet or equivalent, and were able to join your wireless network.
Some quick probing from there could tell them that your G5 was in the DMZ, so they could drop out of your network, get on another network at home or another exposed wireless network, use a proxy to make it seem like they were from Brazil, and over the course of a few days, brute force your password.
If your password was weak, it wouldn't have taken long at all, and then they would have been able to command your computer from "Brazil" through their proxy, make it download all the stuff they wanted over your very fast internet, and then hop onto your wireless connection and download it all to their computer very quickly.
I would say you should take your computer out of the DMZ, close all the ports you don't absolutely need, set up WPA encryption, MAC Address filtering, and make your external IP address unpingable.
Brute forcing takes time, however, which would indicate that it's a neighbor, someone who can leave their computer on running an attack.
Also, the guy may have enabled root and changed the password, might want to check into that.
OutThere said:
Sunrunner has already stated:
Sunrunner said:
Why do so many keep harping about weak passwords?
dejo said:
Because it's a common problem, and other people will probably read this thread and think their 6 character password that is the name of their cat is strong, because no one knows my cat's name is "fluffy".
As a parallel, having a back up solution is a common thing to harp about, and yet.. so many people don't have them..
They are perfectly cromulent things to harp upon. Because they embiggen a user's knowledge.
yellow said:
Sorry, perhaps I should have worded that question: "Why do so many keep harping on Sunrunner about weak passwords?"