As a reformed Wintel server admin, I was curious how many Mac users have *ever* had their boxes get compromised by a worm, virus, etc...

I patch my Mac desktops and servers like a good boy, but how much danger is there really out there?

Any horror stories to share?

Tom

nope. never. although... it is fun to get your friend's passwords and IP address and have a little ssh fun with the terminal once in a while... ;)

Originally posted by Tom Light
As a reformed Wintel server admin, I was curious how many Mac users have *ever* had their boxes get compromised by a worm, virus, etc...

I patch my Mac desktops and servers like a good boy, but how much danger is there really out there?

Any horror stories to share?

Tom


LOL .... half the people here probably don't even own Anti-Virus software

Umm the only real threat that i've heard of are the Macro Viruses that exist in Microsoft Office Products.

I've received tons of Emails that my friends told me not to open because it's a virus, and i've done just for fun to see what would happen - after a backed up everything off-course - and i just got a "does Not recognize file" response

This was under OS 9 mind you... OS X is FreeBSD based so it could be different.

www.securemac.com as you probably already know yourself has all the latest info on mac security issues

I've been using Apple computers since I was 4 or 5, (about 1989 or so when we got our Apple IIgs). I have NEVER had a virus worm or anything else. Unless there were some that my brother didn't tell me about. But I can say with absolute certainty that I haven't experienced a virus since at least 1998.

Originally posted by gwuMACaddict
nope. never. although... it is fun to get your friend's passwords and IP address and have a little ssh fun with the terminal once in a while... ;) Hell yeah it is! :D I love ssh ;)

After 10 years, I've never had anything like that happen. I don't even have anti-virus software for Mac OS X. I imagine that I'll need it at some point, but that time is not now.

I just check to see that the firewall is properly configured and running.

Heh, after a Win2K server getting "t@gged" here at work yesterday this is a relevant topic for me. ;)

We had one Mac server get used as an open SMTP relay for a bit. That's all.

PC/Linux servers have had several large compromises:
PCs: tagged twice
Linux: open FTP relay

Not to mention the lovely Blaster and Nachi outbreak in August all over campus. :rolleyes:

Someone please correct me if I'm wrong...but as far as I know there are NO...yes ZERO Mac OS X viruses/worms/trojan horses.

I have Norton Anti-Virus for Mac OS X and I rarely ever use it. I never remember to update my virus definitions which isn't a problem because the file size of the definitions never changes which tells me that they are never changed except for just changing the definitions date.

I'm telling PC people all the time that the Mac is the way to go. They are less prone to viruses, rarely break down, easy to use, and easy to use peripherals with them. So while they may seem expensive at first, they will more than pay for themselves in a long run.

I gotten my Windows XP machine hacked a couple of weeks ago, if that makes anyone feel any better.

They uploaded a virus and were try to conduct DoS attacks :)

Originally posted by mklos
Someone please correct me if I'm wrong...but as far as I know there are NO...yes ZERO Mac OS X viruses/worms/trojan horses. I consider Microsoft Office vX a virus. But that is just my opinion.

I had someone steal my static IP address once, but I am not sure if that was computer specific.

Originally posted by Java
I consider Microsoft Office vX a virus. But that is just my opinion.

I had someone steal my static IP address once, but I am not sure if that was computer specific.

Static IP address is not that big of a deal ... unless you've got all your ports open and have not set up an sort of firewall or password

how easy would it be for someone to get access to your Mac? like via SSH?

from some of the strange behavior i've been experiencing with the Finder i'm beginning to think that someone might be messing around with me...

also a couple of weeks ago, my little brother had a friend over and he bought his PC and tried to hack my Mac. and he was also connected from inside our router/firewall. but he said he couldn't get in or anything...

I've used OSX hooked to broadband at home since the day of its release, without special security precautions (I didn't even have the firewall on until recently, and I own no antivirus software) and I've never had anything untoward happen.

I also administer about a dozen Macs on a campus network, also without antivirus software (but, in the case of the OSX machines, with the firewall on), and they've also never been victim to any funnybusiness.

I did, once, see a client's copy of Microsoft Word infected by a Macro virus, though. It did no damage (couldn't on the Mac), but it did infect all his outgoing Word documents. That was about three years ago.

I see virus infected PCs all the time, on the other hand, and am happy to charge people plenty of money to purge them.

Originally posted by mklos
Someone please correct me if I'm wrong...but as far as I know there are NO...yes ZERO Mac OS X viruses/worms/trojan horses.


There are a few.

Originally posted by leet1
There are a few.

For OS X? Linkage.

[edit - According to http://www.sarc.com, there are no OS X specific viruses/trojans/worms. In fact, the only mention of "OS X" in their database is related to a kadmind buffer overflow issue that affected all *nixes, saying that OS X wasn't affected since they weren't using the daemon.

So much for that one.]

Originally posted by cb911
how easy would it be for someone to get access to your Mac? like via SSH?

from some of the strange behavior i've been experiencing with the Finder i'm beginning to think that someone might be messing around with me...

also a couple of weeks ago, my little brother had a friend over and he bought his PC and tried to hack my Mac. and he was also connected from inside our router/firewall. but he said he couldn't get in or anything...

Assuming the ssh port is open, relatively easy, - it would be like opening the screen door to your house
However you still need to login - if you have a user account on your computer that does not require a password, thats like leaving your front door unlocked.

If you don't open the SSH port then it's like trying to break into your house through a brick wall...

If your worried... use the network utility to run a PORT SCAN on LOCALHOST (127.0.0.1 - as you already know), and see what ports are open, then just go in and close them off ... i think 1033 and like 634 are open, but they are no know security issues associated with them that i have found yet...

aren't there also keystroke loggers and other things that could cause weird behavior?

as for linkage...http://undergroundmac.com/viruses.html. that's not too hard to find, i'm sure alot of people have seen that site already. but they're just scripts.

there's also this:http://freaky.staticusers.net/internet.shtml. lots of hacking stuff there & also some more stuff that could mess with your compy.

http://freaky.staticusers.net/virus.shtml - apparently these are all live virus'. use at your own risk.:rolleyes:

http://freaky.staticusers.net/macintosh.shtml - even more goodies. keystroke loggers and password crackers. oh woe is me.:rolleyes: :eek: :p

so lets say someone is fully into all that kind of stuff. how easy is it for them to access Panther and do nasty stuff?

Originally posted by Rower_CPU
For OS X? Linkage.

[edit - According to http://www.sarc.com, there are no OS X specific viruses/trojans/worms. In fact, the only mention of "OS X" in their database is related to a kadmind buffer overflow issue that affected all *nixes, saying that OS X wasn't affected since they weren't using the daemon.

So much for that one.]


Yup, just classic, had heard someone say that on here.

Originally posted by leet1
Yup, just classic, had heard someone say that on here.

So why did you say there were a few for OS X? :confused:

Originally posted by Rower_CPU
So why did you say there were a few for OS X? :confused:


Thought thats what they were talking about, but then saw the link ;)

Originally posted by cb911
aren't there also keystroke loggers and other things that could cause weird behavior?

as for linkage...http://undergroundmac.com/viruses.html. that's not too hard to find, i'm sure alot of people have seen that site already. but they're just scripts.

there's also this:http://freaky.staticusers.net/internet.shtml. lots of hacking stuff there & also some more stuff that could mess with your compy.

http://freaky.staticusers.net/virus.shtml - apparently these are all live virus'. use at your own risk.:rolleyes:

http://freaky.staticusers.net/macintosh.shtml - even more goodies. keystroke loggers and password crackers. oh woe is me.:rolleyes: :eek: :p

so lets say someone is fully into all that kind of stuff. how easy is it for them to access Panther and do nasty stuff?

They are primary stuff that affected OS 9

plus a key logger is useless if he can't get back into your computer to retrieve that logged file IE through an open port, Assuming he lied to you, and did get your password file, and he cracked it to get at your passwords, he still can't get in their is no ports are open

assuming he has a trojan installed, that trojan needs to open a port, in order for someone to get in, if you run a PORT SCAN you will know what port is open...

Now, as far as damage, well it's like any other system, the majority of major tasks need to be done from the root user account

Have you set this up? if you have, and have no real use for it, shut it down, and now he has no real way of damaging your system .... but first and foremost, close the ports, and end the problem

yeah i'm not too worried about all of those 'virus' and stuff you can find on the net.

i just ran a port scan... i'm not going to say what ports i have open, ;) but what is netbios-ssn? also some other descriptions it put to ports: ipp, netinfo-local, daap (which is used for iTunes sharing, right?) and newoak. so what do all of those mean? anything there that looks out of place?

also, Apple wouldn't use a vulnerable port for a service would they? for example the iTunes sharing port has no vulnerabliities, right?

netbios-ssn - something to do with windows file sharing???
ipp - printer sharing (port 631)
netinfo-local - netinfo is the central database of mac os x though it isn't used for everything
daap - itunes

All ports >1024 are equally 'vulnerable' - it just depends how vulnerable what's listening is.
IIRC the ports <1024 are special. Something to do with priviledges...

Originally posted by cb911
yeah i'm not too worried about all of those 'virus' and stuff you can find on the net.

i just ran a port scan... i'm not going to say what ports i have open, ;) but what is netbios-ssn? also some other descriptions it put to ports: ipp, netinfo-local, daap (which is used for iTunes sharing, right?) and newoak. so what do all of those mean? anything there that looks out of place?

also, Apple wouldn't use a vulnerable port for a service would they? for example the iTunes sharing port has no vulnerabliities, right?

netbios has to do with DOS/Windows networking. Remote logins default to 22 for ssh and 23 for telnet. iTunes is 3689. The Sharing preferences show these, as well as the Services within Netinfo Manager.

Generally, anything up through 1024 is a system port and from there through 65536 is an application port.

Originally posted by cb911
yeah i'm not too worried about all of those 'virus' and stuff you can find on the net.

i just ran a port scan... i'm not going to say what ports i have open, ;) but what is netbios-ssn? also some other descriptions it put to ports: ipp, netinfo-local, daap (which is used for iTunes sharing, right?) and newoak. so what do all of those mean? anything there that looks out of place?

also, Apple wouldn't use a vulnerable port for a service would they? for example the iTunes sharing port has no vulnerabliities, right?

not off the top of my head... but this is what you wanna do

open the terminal

and type in "telnet"

when you see this

"telnet>"

type open 127.0.0.1 "port" ie open 127.0.0.1 34 (port is the port number you want to access)

so the full line would be

telnet>open 127.0.0.1 [port]

then see what happens, if it opens the port ... type, either "man" "help" or "?" to see if it recognizes commands

or try things like "login" and see what happens?

or "Helo" and see if it responds.

Amusingly enough, I just got to spend a few hours cleaning and upgrading software on a Win2K box in my lab that was infected by a worm. The person who uses it had done an OS upgrade that I wasn't aware of, got back from vacation, turned on his computer, and an hour later I get a call from the campus network guy telling me one of the machines in my lab is going berserk. There's Windows for you.

Oh, and by the way, cb911, since the ports you named have standard port numbers associated with them, there's not much point is "hiding" which are open But as caveman_uk said, it doesn't really matter which ports are open, just whether what is listening to that port is vulnerable or not. Apple's preinstalled services are pretty solid, and so long as you keep up with OSX security updates, I see no reason to believe they won't continue to be.

... I would think the same rules for security would apply.

- Don't run unnecessary services (that is, don't run a Web server and file sharing unless you've got a specific need to have those running).

- Turn your firewall on, and only open up the ports that need to be open (i.e. SSH, HTTP if you've got a Web server running)

- Don't make every account an "admin" (correllary: don't turn off the password for sudo)

- Pick good passwords

- Don't turn on auto-login (correllary: Require the password to be typed for the screensaver and for wake-from-sleep)

- Patch quickly whenever updates are released

In the few years i've been repairing macs, i've only seen 1 computer come in with a virus. It was called the Sevendust virus, and it seemed pretty harmless. This was in os 9.

As a repairman, i'd expect to see my share of viruses, but like i said, only seen one so far...

I have seen two viruses on Macs: one in OS8.5 and the other in OS9.1. Both were relatively harmless. There were many vulnerabilities in the Mac OS before OSX. OS10.3 is fairly secure but there are a few vulnerabilities.

how do you close open ports?

Originally posted by Peyote
how do you close open ports?

Turning the firewall on closes the ports. Most people don't need to manually open any of them anyway; plus OS X is pretty good about opening the ones it needs automatically when you turn on a service (if you turn on file sharing for example) - in this case you'll see certain items in the Firewall's "Allow" list checked off. Normally it'd only be under special circumstances that you'd have to worry about going through the ports list and figuring out which ones have to be open or closed.

In case it isn't clear: a "port" in networking-speak just means that some particular server-type program on a computer is ready and listening for connections from another computer. It's a way of determining what type of connection is to be made over an internet connection. Ports are assigned numbers, which as far as I know were just arbitrarilly agreed upon by various standard-setting groups of people. 80 is the port number for Web (443 is the port for secure Web connections), 22 is SSH, etc etc etc. So if your computer is acting as a Web server you have to leave port 80 open, for example.

i got infected once... after years of using one antivirus software (SAM, back in the day) i had never heard a peep from it, so i deliberately infected it... it did catch it, so i was happy.

it was not easy for me to find a virus for the Mac, this was in ... what, system 6 days? 7? there were (and still are) only a few in existance... but they don't spread.

pnw

revenuee, thanks for that Terminal tip. :)

would that also work if you just typed in a random IP? ;)

about which apps are listening to a port... so basically if it's a weak, vulnerable app that's using a particular port, that's easier to exploit?

so what exactly does netinfo-local do? what would happen if you disabled that port?

I just remember the screensaver hackathon that they did.
They had Xp Pro machine with all the patches on it and Mac I believe with 10.2.7 on it. They had no firewalls on the machines and gave out both IP adds on the air. After 15 mins the Xp box was hacked and blue screening like mad! The Mac..had attacks on it but nothing happen it just kept running. At the end the Xp box has the blue screen of death on it and the Mac was fine...and they even went on to surf on it to show you it was A-Ok!

Only folks with Unix background and know alot about OS X tend to be the only folks able to hack it and thats if Apple doesn't patch hole before it's exploited which never has happened.

I've used OS X almost since it's came out and I've never had a virus or got hacked. I can also say I've never heard of Mac getting hacked by any of my friends that use them all the time.

I only have Norton because of MS Word Macro viruses that can effect Word doc.

I recently got the paypal worm email.
So what I did I opened it up and looked at it's code. Found out where it was sending all the CC #'s they are getting and I just mail bombed them with their own worm virus. I also notice the worm only affects Win95 on up because on the top it said This program does not work in DOS enviroment. So what I did was I went on windows site and posted the whole virus code and everyone said how did you get that. I said it's easy when you got a Mac.
I told them if they were running DOS as their OS they wouldn't get infected.

If anyone is wondering the worm is send folks Paypal accounts, name and address, and CC# to 4 accounts in the Czech Republic.

Originally posted by cb911
revenuee, thanks for that Terminal tip. :)

would that also work if you just typed in a random IP? ;)

about which apps are listening to a port... so basically if it's a weak, vulnerable app that's using a particular port, that's easier to exploit?

so what exactly does netinfo-local do? what would happen if you disabled that port?

I myself haven't even began to scratch the surface of understanding many aspects of exploits, but it is my understanding that certain ports run certain apps and daemons, that if correctly manipulated can compromise a system - how to actually do this is still a mystery to me.

i know enough to login in, and surf around, open and read files - the very basics.

as far as what ask about random IP's ... well yes and no ... i don't fully understand networking and IP addressing, but what i do know is that there are just under 425 million possible combinations of IP's and not all of them are connected to the internet at the same time. Also not every IP will have the same services running and ports open so you won't be able to much fun there... some ports don't do anything, they don't respond to commands (non that i know) so even if you do connect, that doesn't mean you can do anything

*Warning - accessing a computer you don't have permission to is illegal in most countries - so be careful*

you have to also consider why you are accessing that computer? for the sake of entering? for purposes of information? or is it purely malicious?

SIS admins aren't stupid ... there is a log file of people accessing a server, and the activity being done, so unless you really know what your doing, you might unwittingly connect to a computer, do even absolutely nothing, but if something does happen, you can be blamed for it.

<sarcastic rant>And now a days computer crime is a bigger felony then murder </sarcastic rant>

now that we covered why you might want to avoid using random IP's ...
here is what you can do ... if you have second computer at home, snag it's ip address, port scan it, and see what you can do with the ports that are open

and as far as what netinfo-local does ... you got me... i've been trying to figure it out too...

:D :) have fun

Originally posted by revenuee
I myself haven't even began to scratch the surface of understanding many aspects of exploits, but it is my understanding that certain ports run certain apps and daemons, that if correctly manipulated can compromise a system - how to actually do this is still a mystery to me. I think that's the way it works. Remember the ssh bug/hole that had a slight hand in the 10.2.8 mess? It was patched quickly, but it took Apple a little bit longer to distribute.

well there's alot of numbers in an IP... you never know you might make a small mistake once in a while... ;)

i'm probably just going to set up a PC here so i can have some fun with it. he he. :D

so i'm guessing that since netinfo-local is a system thingy it's best not to mess with it...

Originally posted by cb911
well there's alot of numbers in an IP... you never know you might make a small mistake once in a while... ;)

i'm probably just going to set up a PC here so i can have some fun with it. he he. :D

so i'm guessing that since netinfo-local is a system thingy it's best not to mess with it...

thats one solution, and quite frankly a good one, i've been playing around with one here at home myself (my parents... LOL)

your other solution is to load the PC with some version Linux, and if you can offord to not use the computer for anything else then for running attacks on it, even if you do end up screwing something up, you can just format it, and then try again...

hmm, which give me an idea... i have an OLD 486 sitting in the basement that i think i might want to play around with...

but it doesn't have a CD-ROM or an ethernet card .... anybody know where i can get these cheap ... it's an old computer so i don't really care to spend an in-ornate amount of money here... LOL

An ethernet card is like $10 at fry's or your local electronics store. you can pick up a CD rom for 25 or so.

Originally posted by leet1
An ethernet card is like $10 at fry's or your local electronics store. you can pick up a CD rom for 25 or so.

nice ... looks like i can pull this project off for less then 50$

Does anyone have a reference of port numbers and their specific function?

if your on a *nix machine that includes OS X

open the terminal

you will see something like this

[*yourhostname1:~] *yourusername*%>

type CD .. and hit return

you should then see

[*yourhostname1*:/Users] *yourusername*%>

type CD .. and hit return (again)

and you should see

[*yourhostname1:/] *yourusername*%>

now type open etc/services

that will open a test file that will give you all the port references that common services run on

You can do a simple port scan of your home computer and a few other security checks at the Symantec web site. http://security.symantec.com/ssc/ Click on "Scan for Security Risks". Unauthorised port scans are a no-no so don't try this on a corporate network without permission from your network administrator.

Just look at the linux security bulletins, eg. openssl is always a good way to get into a system. The only reason that macs are usually spared from hackers and net worms is that most worms work only on specific patforms (e.g. linux slapper, which introduced itself to me last year on a linux box) - the only reason is that OSX Servers that serve internet services are very rarely seen, and noone really cares to try them.

So, if you know a Xserve that serves as Webbrowser with openssl, you may want to check if it has been patched already, or if you can do s.th. nasty with a linux exploit.