Mac Hacked - Remote Vulnerability?

Discussion in 'Mac Pro' started by Sunrunner, Mar 13, 2006.

  1. Sunrunner macrumors 6502a

    Sunrunner

    Joined:
    Nov 27, 2003
    #1
    I was surprised this morning (not the good kind of surprise mind you) with some rather malicious-looking computer activity on my system…

    I woke up to see that my computer, a PowerMac G5 Dual-Proc 2.7 Ghz, was apparently accessed remotely via a foreign host last night. Azareus, Firefox had been downloaded, and were open. Additionally, about half a dozen torrent files had been downloaded to the desktop (Greys Anatomy, Cold Case Files, Bum Fights). Some of these torrent files had apparently been started. Additionally, the website www.torrentleech.org had been opened, showing that a user by the name of “power3” was logged in. A Firefox window was opened with three tabs that appeared to be the submission of torrent files for seeding. Alarmed for obvious reasons, I opened the console and network utility to see what was what.

    First though, a bit about my particular network environment--I connect to the Internet via a Cox Communications cable Internet connection (which I recently upgraded to the premium-speed service). I use an Airport as my network router, with a Netgear 10/100/1000 Hub in between that and my computers. This computer specifically operates with two network connections operational: Airport and Ethernet. It normally connects through the Ethernet connection, as it is the faster of the two. This computer is setup as a DMZ, but also has the firewall enabled with only a few selected ports opened.

    A quick check of things (had to get to work) showed that starting on 3/11 OSXvnc had been started up remotely, and run on at least three different occasions over the weekend. The remote IP that did the connecting all three occasions was the same, and a ping and Traceroute showed that this IP was located (after a healthy 16 jumps via Traceroute) was located in Brazil. Now, I certainly don’t know anyone in Brazil, let alone give out access to my computer. It seems to me that to do all of these things, someone would have had to get into my computer without authorization and get OSXvnc to start up at the very least. It also appears that they turned off my firewall and somehow operated under my user ID… Definitely concerned, as such an action would seemingly allow a user do a whole lot more than just download torrent files…

    Now here is the best part, (or worst, depending on your viewpoint) I called Apple Tech Support, and they recommended I sent an email to Apple Security. So that’s what I did. Apple Security then sends a cut-and-paste email response back to me suggesting that if I wanted support to contact Apple Tech Support. So, I called them again and managed to get elevated to a level II “Product Specialist”. At this point the “specialist” tells me that unless I have information on the specific method and vulnerability used to gain access into my system, it’s not their problem. He further specified that Apple had no interest in the matter unless that was the case, and to contact my local Internet provider. My jaw dropped at that point to say the least… VERY disappointed with Apple about this one. Here I was all ready to pour over log files and access files and track down the vulnerability with them, and they APPARENTLY have no interest.

    Well, at least we know there IS a remote vulnerability for Mac OS X out there. Anybody got any ideas on next steps?
     
  2. jsw Moderator emeritus

    jsw

    Joined:
    Mar 16, 2004
    Location:
    Andover, MA
    #2
    Man, that does not sound good.

    Some questions:

    (1) I assume you installed OSXvnc... can you uninstall it or at least move it out of the Applications folder?

    (2) Any chance of buying a cheap (~US$60) router and using it as the firewall? Do you need to use the Mac as a DMZ?

    (3) Is your main account (a) an admin? (b) set up to automatically log in?

    (4) Has anyone else had physical access to your Mac (as far as you're aware)?
     
  3. Sunrunner thread starter macrumors 6502a

    Sunrunner

    Joined:
    Nov 27, 2003
    #3
    1 - Its actually in the Utilities folder... but to get to the point, I dont see how moving it or uninstalling it would be a problem. As a side note, OSXvnc is installed, but I havent started it up in nearly a year.

    2 - The Airport is the router in this setup. Yes, I need it as a DMZ... thats why I turned on the computers firewall.

    3 - Yes its an admin account, and no it does not auto log-in

    4 - I am 100% certain nobody else has physical access to this computer
     
  4. gauchogolfer macrumors 603

    gauchogolfer

    Joined:
    Jan 28, 2005
    Location:
    American Riviera
    #4
    Could this be related in any way to the vulnerability reported here? This appears to be an overflow problem with iTunes and QuickTime. I'll be sure to stay posted on this topic.
     
  5. Sunrunner thread starter macrumors 6502a

    Sunrunner

    Joined:
    Nov 27, 2003
    #5
    No way to tell for sure, that article is less-than forthcoming on technical details...
     
  6. gauchogolfer macrumors 603

    gauchogolfer

    Joined:
    Jan 28, 2005
    Location:
    American Riviera
    #6
    Yeah, I noticed that as well. It's just that it was recently reported, as was your remote vulnerability. They're not necessarily related, but it went through my mind. I am a bit disappointed in how Apple's reportedly handled the situation, that's for sure. Keeping one's head in the sand is no way to address potential security issues.
     
  7. NeuronBasher macrumors regular

    Joined:
    Jan 17, 2006
    #7
    Are you absolutely certain that OSXvnc wasn't already running the first time your system was remotely accessed? It seems to be the most likely attack vector. I suppose it's also possible that you have been the victim of a Trojan that enabled OSXvnc and sent your IP address to the attacker for later use.

    My recommendation to anyone that is compromised is always the same: Backup the system and do a complete wipe and reinstall from Apple media, preferably with the computer disconnected from the internet. Only copy files back to the system after you have inspected them for any signs of tampering.
     
  8. Voidness macrumors 6502a

    Voidness

    Joined:
    Aug 2, 2005
    Location:
    Null
    #8
    Wow, I've never seen a Windows PC hacked to this extent, let alone a Mac.

    I'm really clueless about this issue. But it really seems serious.
     
  9. Sunrunner thread starter macrumors 6502a

    Sunrunner

    Joined:
    Nov 27, 2003
    #9

    Like I said, havent used OSXvnc (or had it startup) in almost a year, that was a few OS updates ago as well. The log also indicates that this activity is the first time it has run since that time...
     
  10. andiwm2003 macrumors 601

    andiwm2003

    Joined:
    Mar 29, 2004
    Location:
    Boston, MA
    #10
    at that point it is likely that someone has your password and/or physical access to your computer. if a mac can be hacked remotely we will hear a lot more of this very soon.

    mutiple personality disorder is the only other explanation i could come up with. ;)
     
  11. Sunrunner thread starter macrumors 6502a

    Sunrunner

    Joined:
    Nov 27, 2003
    #11
    well its definitely not physical access or having given out the password. Ill let you know what the docs say about the multiple personalities... :rolleyes:
     
  12. andiwm2003 macrumors 601

    andiwm2003

    Joined:
    Mar 29, 2004
    Location:
    Boston, MA
    #12
    is it possible to let the machine as it is and monitor it? maybe you can see how the start vnc?
     
  13. Daedalus256 macrumors 6502

    Joined:
    Nov 7, 2005
    Location:
    Pittsburgh, PA
    #13
    Just a thought, but since you're using an airport for internet access I thought I'd ask.

    Is it WEP encrypted/are you using wifi to connect to it? Wireless access is typically VERY vulnerable to everyone around. I know I've caught people using my wifi without permission and it's pretty simple to get into one's computer and for lack of a better expression...
     
  14. portent macrumors 6502a

    Joined:
    Feb 17, 2004
    #14
    What about the obvious?

    You didn't mention anything about SSH/Remote Login. Is it enabled now? Have you ever enabled it, and for how long?
     
  15. Sunrunner thread starter macrumors 6502a

    Sunrunner

    Joined:
    Nov 27, 2003
    #15
    The airport IS active for wireless connections, but the configuration is set up so that the network is WEP encrypted. That doesnt appear to be the issue though regardless (unless someone in Brazil has a VERY high-gain antenna).
     
  16. Sunrunner thread starter macrumors 6502a

    Sunrunner

    Joined:
    Nov 27, 2003
    #16
    That service is not enabled, nor did I enable it anytime recently
     
  17. spacehog371 macrumors regular

    Joined:
    Dec 13, 2003
    #17
    I highly doubt an experienced hacker would allow you to track his IP back to where it actually came from. More likely he was using a proxy something.
     
  18. jeremy.king macrumors 603

    jeremy.king

    Joined:
    Jul 23, 2002
    Location:
    Fuquay Varina, NC
    #18
    OS current?

    Which ports and why? What software are you running on those ports?

    Is your password very secure?

    Leaving a port unblocked invites people to try to hack - quick port scans and a google for software vulnerabilities are an easy way into a target system. That said, you sound like an advanced user, so I assume you were current with everything. I'm stumped...

    Wheres yellow when you need him?
     
  19. briangig macrumors regular

    Joined:
    May 16, 2005
    #19
    is your system password also your password for anything else?


    this is very odd, I dont see how someone would have remote access to your system if VNC/SSH/Remote Login arent enabled or running.

    I would leave your computer running and wait for this person to come back...but I'm a bit weird like that. I'd recommend disconnecting from the net, backing up what you need and reinstalling.

    And dont use WEP.
     
  20. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #20
    Wow, that is a very strange story. :( I'm sorry for your being hacked. If we can help you figure out details of the story, let us help. :)

    If I understand what you're saying about the wired/wireless connections correctly, the wired connection goes straight to the hub, and bypasses the Airport, right? That means that the Airport intranet IP address should be missing from the traced route, if the hacker got in over wires, and present if the hacker got in over the air. Is this correct, or do I not quite understand the situation?

    I'm not sure if there's an easy way to check the logs of an Airport base station to see what MAC addresses have *previously* been logged into it. :(

    I would ditto though, that you should switch from WEP to WPA2 if you can.
     
  21. spacehog371 macrumors regular

    Joined:
    Dec 13, 2003
  22. miniConvert macrumors 68040

    miniConvert

    Joined:
    Mar 4, 2006
    Location:
    Kent, UK - the 'Garden of England'.
    #22
    If it was an experienced hacker they wouldn't have left logs.
     
  23. gekko513 macrumors 603

    gekko513

    Joined:
    Oct 16, 2003
    #23
    We can only hope that they got in without a remote exploit. One possibility is that someone made a trojan using the Safari download vulnerability and that you happened to surf across it before the hole was patched.
     
  24. iMeowbot macrumors G3

    iMeowbot

    Joined:
    Aug 30, 2003
    #24
    "Stealth mode" in firewalls is kind of dubious. All it really does is advertise that a firewall is running.
     
  25. Chaszmyr macrumors 601

    Chaszmyr

    Joined:
    Aug 9, 2002
    #25
    It seems highly unlikely one could legitimately hack a machine to this extent using a vulnerability not yet warned by Apple and/or security companies. It seems more likely to me that someone somehow acquired your admin password.
     

Share This Page