Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac Hacked - Remote Vulnerability?
- Thread starter Sunrunner
- Start date
- Sort by reaction score
Hello, I think we have remote code execution vulnurability here. Yesterday, a friend was hacked the same way. He started seeing his mouse pointer move and trying to run the Terminal. His ppc mac mini was running the latest Tiger version and was outside his corporate firewall. The only service running on the mini was sshd. OSXVnc was installed but NOT running.
Was the ARD or any remote access port open?maverick13 said:
Does OSXVnc run any sort of startup item when the user logs in? If so all bets are off.
From the webpage:
The GUI app does not need to be running for the server to run. You'd never know without checking the running processes.
I think we may have found our smoking gun.
Yes, at least in maverick13's case, my gut feeling is a misconfiguration of OSXvnc. At least until we know more about this.
The nature of the attacks also appear so amateurish that it strongly suggest that it's just a script kiddie with a port scanner tool and a VNC client.
The nature of the attacks also appear so amateurish that it strongly suggest that it's just a script kiddie with a port scanner tool and a VNC client.
gekko513 said:
I have given this thread to my friend who was hacked. He will probably post with more details. In the meantime, I don't think it was misconfigured. That's his job, he is a network administrator working with many linux machines. The mini is is his personal workstation in the office.
I did a portscan on his host and I could see only ssh open.
And yes it looks like script kiddies kind-of attacks. That's not good. That means if a remote vulnurability was found it is utilized by common exploits.
Greetings to all,
Here I am to explain how things happened..
I've been running osxvnc for months, having no problems with it until it just stopped working.. that was about a month ago. Not really using it I just stopped running it. However a week ago I needed it so I removed and re-installed it, and guess what.. it worked! "Hooray!", said I, and left my office. A couple of days later I rebooted my mac since I had to install some updates that required it, and when again into the desktop I tried to start osxvnc just to keep it running but to my puzzlement it just didn't start, just like that other time. The icon on the dock kept bouncing for quite a time and then stopped, with no black arrow beneath it. It never started, the process was reported as "not responding" and so I closed it. That was about 4 days ago. Anyway, yesterday in the evening I was just sitting here eating my pizza when I saw my pointer move. My eyes focused on the osxvnc icon on the dock, WITH the black arrow beneath it... it was running alright! The office was dark with the only light emanating from my monitor.. it was scary alright. I did nothing, just called for a guy in the next office so that I could use his computer to login to mine, to check where the intruder connected from. He came to my office and accidentally moved the mouse. The intruder saw that and was out. All he managed to do within the minute he was connected was to close the safari (when i saw that i felt a relief. He was a moron alright), then tried to start the terminal. Since I use desktop manager, and i already had open terminals in other desktops, it didn't pop-up. Since he was too retarded to select File/New Shell, he kept clicking on it for about 5-6 times till my mouse moved. Anyway after that I removed osxvnc, and checked all the logs. Didn't manage to find anything of use. osxvnc, had been running its default configuration with a password set for it of course, but when I clicked on the dock icon, the osxvnc window never showed up! anyway that's pretty much all of it. Indeed I only have the sshd port open. oh yes and the vnc server of course since miraculously it was running.
That's it.. take care!
Here I am to explain how things happened..
I've been running osxvnc for months, having no problems with it until it just stopped working.. that was about a month ago. Not really using it I just stopped running it. However a week ago I needed it so I removed and re-installed it, and guess what.. it worked! "Hooray!", said I, and left my office. A couple of days later I rebooted my mac since I had to install some updates that required it, and when again into the desktop I tried to start osxvnc just to keep it running but to my puzzlement it just didn't start, just like that other time. The icon on the dock kept bouncing for quite a time and then stopped, with no black arrow beneath it. It never started, the process was reported as "not responding" and so I closed it. That was about 4 days ago. Anyway, yesterday in the evening I was just sitting here eating my pizza when I saw my pointer move. My eyes focused on the osxvnc icon on the dock, WITH the black arrow beneath it... it was running alright! The office was dark with the only light emanating from my monitor.. it was scary alright. I did nothing, just called for a guy in the next office so that I could use his computer to login to mine, to check where the intruder connected from. He came to my office and accidentally moved the mouse. The intruder saw that and was out. All he managed to do within the minute he was connected was to close the safari (when i saw that i felt a relief. He was a moron alright), then tried to start the terminal. Since I use desktop manager, and i already had open terminals in other desktops, it didn't pop-up. Since he was too retarded to select File/New Shell, he kept clicking on it for about 5-6 times till my mouse moved. Anyway after that I removed osxvnc, and checked all the logs. Didn't manage to find anything of use. osxvnc, had been running its default configuration with a password set for it of course, but when I clicked on the dock icon, the osxvnc window never showed up! anyway that's pretty much all of it. Indeed I only have the sshd port open. oh yes and the vnc server of course since miraculously it was running.
That's it.. take care!
Well that certainly doesn't make it sound less likely that OSXvnc was the way in:
"I tried to start osxvnc just to keep it running but to my puzzlement it just didn't start, just like that other time. The icon on the dock kept bouncing for quite a time and then stopped, with no black arrow beneath it. It never started, the process was reported as "not responding" and so I closed it."
So OSXvnc didn't work as expected and was then left alone. It may well have been left in a running state behind the scenes, or restarted itself some time later if it was set up as a service, since you say you didn't investigate further what went wrong.
maverick13: When did you port scan? Before or after the incident?
"I tried to start osxvnc just to keep it running but to my puzzlement it just didn't start, just like that other time. The icon on the dock kept bouncing for quite a time and then stopped, with no black arrow beneath it. It never started, the process was reported as "not responding" and so I closed it."
So OSXvnc didn't work as expected and was then left alone. It may well have been left in a running state behind the scenes, or restarted itself some time later if it was set up as a service, since you say you didn't investigate further what went wrong.
maverick13: When did you port scan? Before or after the incident?
When I say "I closed it" I actually mean "I killed the ****in' osxvnc process; and I killed it dead!".
Anyway, he portscanned me after the incident, and after I rebooted. To me it seems that the vncserver was running and no password was required, but who started it this way is what this is all about. I don't suggest that there's an exploit for os x in general, actually I don't suggest anything I just report what happened to me since Maverick asked me to do so, and since there was a similar incident.
PS: osxvnc was never set up as a service. Always started it manually.
Anyway, he portscanned me after the incident, and after I rebooted. To me it seems that the vncserver was running and no password was required, but who started it this way is what this is all about. I don't suggest that there's an exploit for os x in general, actually I don't suggest anything I just report what happened to me since Maverick asked me to do so, and since there was a similar incident.
PS: osxvnc was never set up as a service. Always started it manually.
Sopor Mysteria said:
Thanks for the clarification.
Did you reboot any time in between the "killing of the ****in' osxvnc process" and the incident? I ask because that could have respawned osxvnc in the background. Launchd respawning osxvnc is a second possible way that osxvnc could've been resurrected without the actions of any attacker. Launchd can respawn server processes that have been killed. I'm not very familiar with how it works, but I'm just listing it as a possible explanation.
If we're not counting physical access to the machine, sshd seems like the only other way in, and if sshd is vulnerable on OS X it should be vulnerable on other platforms too and that seems unlikely.
I agree, sshd cannot be the problem here. A few more clarifications: whenever I started osxvnc, I needed to click on "start server" button for it to start listening, and it required my password which was saved by it. The paradox that I mentioned before is most interesting, that when I saw that vnc was running and i clicked on it, no window showed up. It seemed like it was started in some other way. And no, i did not restart the mac after killing vnc. To me the only rational explanation seems to be buried somewhere in the past, or that I forget something critical that I've done or i haven't.. anyway I believe we should expect some more feedback from the other guy that experienced such an intrusion. His comments after reading my story are bound to be useful.
However I will mention something that I believed was of no importance, but what the heck. Earlier the same day I was brute-forced on my sshd as the logs suggest. To me this is an every-day phenomenon so I ignored it at first, but later I saw that he was trying to bruteforce my very own username (normally everything is random.. silly huh?), with several passwords. Anyway I laughed at it since I already have username@hostname restriction in my sshd_config. It is important that whoever was messing around, is no threat to anyone. So his actions suggest anyway, and this is the most disturbing of all.
However I will mention something that I believed was of no importance, but what the heck. Earlier the same day I was brute-forced on my sshd as the logs suggest. To me this is an every-day phenomenon so I ignored it at first, but later I saw that he was trying to bruteforce my very own username (normally everything is random.. silly huh?), with several passwords. Anyway I laughed at it since I already have username@hostname restriction in my sshd_config. It is important that whoever was messing around, is no threat to anyone. So his actions suggest anyway, and this is the most disturbing of all.