What just Happened?

Discussion in 'macOS' started by Fearless Leader, Jan 22, 2007.

  1. Fearless Leader macrumors 68020

    Joined:
    Mar 21, 2006
    Location:
    Hoosiertown
    #1
    I come home to my mac today and found a terminal window open and a safari window. Asked my family if they had used my mac and they had not. The safari window was a yahoo search for some .exe file. And In the terminal window it appears someone got in. Ruby commands were ran passwords changed. It's currently unplugged from the net.

    Code:
    Last login: Thu Jan 18 19:10:02 on ttyp1
    Welcome to Darwin!
    PowerMacServer:~ tmartin$ id
    uid=501(tmartin) gid=501(tmartin) groups=501(tmartin), 81(appserveradm), 79(appserverusr), 80(admin)
    PowerMacServer:~ tmartin$ uname -a
    Darwin PowerMacServer.thestupidmonkey.com 8.8.0 Darwin Kernel Version 8.8.0: Fri Sep  8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC Power Macintosh powerpc
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ cat /etc/issue.net
    cat: /etc/issue.net: No such file or directory
    PowerMacServer:~ tmartin$ set
    BASH=/bin/bash
    BASH_VERSINFO=([0]="2" [1]="05b" [2]="0" [3]="1" [4]="release" [5]="powerpc-apple-darwin8.0")
    BASH_VERSION='2.05b.0(1)-release'
    COLUMNS=80
    DIRSTACK=()
    EUID=501
    GROUPS=()
    HISTFILE=/Users/tmartin/.bash_history
    HISTFILESIZE=500
    HISTSIZE=500
    HOME=/Users/tmartin
    HOSTNAME=PowerMacServer.thestupidmonkey.com
    HOSTTYPE=powerpc
    IFS=$' \t\n'
    LINES=24
    LOGNAME=tmartin
    MACHTYPE=powerpc-apple-darwin8.0
    MAILCHECK=60
    OPTERR=1
    OPTIND=1
    OSTYPE=darwin8.0
    PATH=/bin:/sbin:/usr/bin:/usr/sbin
    PIPESTATUS=([0]="1")
    PPID=6859
    PS1='\h:\w \u\$ '
    PS2='> '
    PS4='+ '
    PWD=/Users/tmartin
    SECURITYSESSIONID=4190c0
    SHELL=/bin/bash
    SHELLOPTS=braceexpand:emacs:hashall:histexpand:history:interactive-comments:monitor
    SHLVL=1
    TERM=xterm-color
    TERM_PROGRAM=Apple_Terminal
    TERM_PROGRAM_VERSION=133
    UID=501
    USER=tmartin
    _=/etc/issue.net
    __CF_USER_TEXT_ENCODING=0x1F5:0:0
    PowerMacServer:~ tmartin$ gcc
    -bash: gcc: command not found
    PowerMacServer:~ tmartin$ perl
    ^C
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ cat /etc/passwd
    ##
    # User Database
    # 
    # Note that this file is consulted when the system is running in single-user
    # mode.  At other times this information is handled by one or more of:
    # lookupd DirectoryServices  
    # By default, lookupd gets information from NetInfo, so this file will 
    # not be consulted unless you have changed lookupd's configuration.
    # This file is used while in single user mode.
    #
    # To use this file for normal authentication, you may enable it with
    # /Applications/Utilities/Directory Access.
    ##
    nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false
    root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false
    postfix:*:27:27:Postfix User:/var/spool/postfix:/usr/bin/false
    www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false
    eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false
    mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false
    sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
    qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
    cyrusimap:*:77:6:Cyrus IMAP User:/var/imap:/usr/bin/false
    mailman:*:78:78:Mailman user:/var/empty:/usr/bin/false
    appserver:*:79:79:Application Server:/var/empty:/usr/bin/false
    clamav:*:82:82:Clamav User:/var/virusmails:/bin/tcsh
    amavisd:*:83:83:Amavisd User:/var/virusmails:/bin/tcsh
    jabber:*:84:84:Jabber User:/var/empty:/usr/bin/false
    xgridcontroller:*:85:85:Xgrid Controller:/var/xgrid/controller:/usr/bin/false
    xgridagent:*:86:86:Xgrid Agent:/var/xgrid/agent:/usr/bin/false
    appowner:*:87:87:Application Owner:/var/empty:/usr/bin/false
    windowserver:*:88:88:WindowServer:/var/empty:/usr/bin/false
    tokend:*:91:91:Token Daemon:/var/empty:/usr/bin/false
    securityagent:*:92:92:SecurityAgent:/var/empty:/usr/bin/false
    unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
    PowerMacServer:~ tmartin$ id
    uid=501(tmartin) gid=501(tmartin) groups=501(tmartin), 81(appserveradm), 79(appserverusr), 80(admin)
    PowerMacServer:~ tmartin$ adduser
    -bash: adduser: command not found
    PowerMacServer:~ tmartin$ useradd
    -bash: useradd: command not found
    PowerMacServer:~ tmartin$ passwd mailman
    Changing password for mailman.
    password for tmartin:
    New password:
    Retype new password:
    Sorry
    PowerMacServer:~ tmartin$ passwd mailman
    Changing password for mailman.
    password for tmartin:
    New password:
    
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ 
    PowerMacServer:~ tmartin$ ls -al /usr/bin/ruby
    -rwxr-xr-x   1 root  wheel  13812 Apr 18  2006 /usr/bin/ruby
    PowerMacServer:~ tmartin$ cd /etc
    PowerMacServer:/etc tmartin$ ls
    6to4.conf                       named.conf
    AFP.conf                        nanorc
    IPAliases.conf.default          nat
    MailServicesOther.plist         networks
    X11                             notify.conf
    afpovertcp.cfg                  ntp.conf
    aliases                         openldap
    aliases.db                      pam.d
    amavisd.conf                    passwd
    amavisd.conf.personal           pear.conf
    authorization                   periodic
    authorization.cac               php.ini.default
    bashrc                          postfix
    certificates                    ppp
    clamav.conf                     printcap
    crontab                         profile
    csh.cshrc                       protocols
    csh.login                       racoon
    csh.logout                      rc
    cups                            rc.common
    cyrus.conf                      rc.netboot
    cyrus.conf.default              rc.shutdown
    daily                           resolv.conf
    defaults                        rmtab
    diskspacemonitor                rndc.key
    dumpdates                       rpc
    efax.rc                         rtadvd.conf
    find.codes                      servermgrd
    fonts                           services
    freshclam.conf                  shells
    fstab.hd                        shells.personal
    ftpusers                        slpsa.conf
    gettytab                        smb.conf
    group                           smb.conf.template
    hostconfig                      snmpd.conf
    hostconfig.personal             spam
    hosts                           squirrelmail
    hosts.equiv                     ssh_config
    hosts.lpd                       ssh_host_dsa_key
    httpd                           ssh_host_dsa_key.pub
    hwmond.SMART                    ssh_host_key
    imapd.conf                      ssh_host_key.pub
    imapd.conf.default              ssh_host_rsa_key
    imapd.conf.personal             ssh_host_rsa_key.pub
    inetd.conf                      sshd_config
    ipfilter                        sshd_config.bak
    jabber                          sshd_config.personal
    kcpassword                      sudoers
    kern_loader.conf                swupd
    krb5.keytab                     sysctl-macosxserver.conf
    localtime                       syslog.conf
    mach_init.d                     systemserialnumbers
    mach_init_per_user.d            ttys
    mail                            webperfcache
    mail.rc                         weekly
    master.passwd                   xgrid
    memberd.conf                    xinetd.conf
    moduli                          xinetd.d
    monthly                         xinetd.d-migrated2launchd
    motd                            xtab
    mysqlManager.plist.default
    PowerMacServer:/etc tmartin$ cat proc/version
    cat: proc/version: No such file or directory
    PowerMacServer:/etc tmartin$ cat /proc/version
    cat: /proc/version: No such file or directory
    PowerMacServer:/etc tmartin$ uname 
    Darwin
    PowerMacServer:/etc tmartin$ uname  -a
    Darwin PowerMacServer.thestupidmonkey.com 8.8.0 Darwin Kernel Version 8.8.0: Fri Sep  8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC Power Macintosh powerpc
    PowerMacServer:/etc tmartin$ wget
    -bash: wget: command not found
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ lynx
    -bash: lynx: command not found
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ curl
    curl: try 'curl --help' or 'curl --manual' for more information
    PowerMacServer:/etc tmartin$ kedit
    -bash: kedit: command not found
    PowerMacServer:/etc tmartin$ vim
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ 
    PowerMacServer:/etc tmartin$ vi ss.txt
    PowerMacServer:/etc tmartin$ pwd
    /etc
    PowerMacServer:/etc tmartin$ cd /home
    -bash: cd: /home: No such file or directory
    PowerMacServer:/etc tmartin$ ls
    6to4.conf                       named.conf
    AFP.conf                        nanorc
    IPAliases.conf.default          nat
    MailServicesOther.plist         networks
    X11                             notify.conf
    afpovertcp.cfg                  ntp.conf
    aliases                         openldap
    aliases.db                      pam.d
    amavisd.conf                    passwd
    amavisd.conf.personal           pear.conf
    authorization                   periodic
    authorization.cac               php.ini.default
    bashrc                          postfix
    certificates                    ppp
    clamav.conf                     printcap
    crontab                         profile
    csh.cshrc                       protocols
    csh.login                       racoon
    csh.logout                      rc
    cups                            rc.common
    cyrus.conf                      rc.netboot
    cyrus.conf.default              rc.shutdown
    daily                           resolv.conf
    defaults                        rmtab
    diskspacemonitor                rndc.key
    dumpdates                       rpc
    efax.rc                         rtadvd.conf
    find.codes                      servermgrd
    fonts                           services
    freshclam.conf                  shells
    fstab.hd                        shells.personal
    ftpusers                        slpsa.conf
    gettytab                        smb.conf
    group                           smb.conf.template
    hostconfig                      snmpd.conf
    hostconfig.personal             spam
    hosts                           squirrelmail
    hosts.equiv                     ssh_config
    hosts.lpd                       ssh_host_dsa_key
    httpd                           ssh_host_dsa_key.pub
    hwmond.SMART                    ssh_host_key
    imapd.conf                      ssh_host_key.pub
    imapd.conf.default              ssh_host_rsa_key
    imapd.conf.personal             ssh_host_rsa_key.pub
    inetd.conf                      sshd_config
    ipfilter                        sshd_config.bak
    jabber                          sshd_config.personal
    kcpassword                      sudoers
    kern_loader.conf                swupd
    krb5.keytab                     sysctl-macosxserver.conf
    localtime                       syslog.conf
    mach_init.d                     systemserialnumbers
    mach_init_per_user.d            ttys
    mail                            webperfcache
    mail.rc                         weekly
    master.passwd                   xgrid
    memberd.conf                    xinetd.conf
    moduli                          xinetd.d
    monthly                         xinetd.d-migrated2launchd
    motd                            xtab
    mysqlManager.plist.default
    PowerMacServer:/etc tmartin$ cd /
    PowerMacServer:/ tmartin$ ls
    Applications    Network         automount       flash           private
    Desktop DB      Shared Items    bin             mach            sbin
    Desktop DF      System          cores           mach.sym        tmp
    Groups          Users           dev             mach_kernel     usr
    Library         Volumes         etc             opt             var
    PowerMacServer:/ tmartin$ cd /tmp
    PowerMacServer:/tmp tmartin$ ls
    hsperfdata_appserver    objc_sharing_ppc_79
    objc_sharing_ppc_501    objc_sharing_ppc_92
    PowerMacServer:/tmp tmartin$ vi root.rb
    PowerMacServer:/tmp tmartin$ ruby root.rb
    ++ Starting: /Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool
    ++ Back-up:  /tmp/pmTool
    ++ Compiling a shell wrapper at /tmp/o...
    sh: line 1: gcc: command not found
    ++ Placing backdoor...
    /usr/lib/ruby/1.8/fileutils.rb:525:in `stat': No such file or directory - /tmp/o (Errno::ENOENT)
            from /usr/lib/ruby/1.8/fileutils.rb:525:in `stat'
            from /usr/lib/ruby/1.8/fileutils.rb:511:in `preserve'
            from /usr/lib/ruby/1.8/fileutils.rb:455:in `copy_entry'
            from /usr/lib/ruby/1.8/fileutils.rb:416:in `copy_entry'
            from /usr/lib/ruby/1.8/fileutils.rb:584:in `mv'
            from /usr/lib/ruby/1.8/fileutils.rb:572:in `fu_each_src_dest'
            from /usr/lib/ruby/1.8/fileutils.rb:845:in `fu_each_src_dest0'
            from /usr/lib/ruby/1.8/fileutils.rb:845:in `fu_each_src_dest'
            from /usr/lib/ruby/1.8/fileutils.rb:572:in `mv'
            from root.rb:65
    PowerMacServer:/tmp tmartin$ gcc
    -bash: gcc: command not found
    PowerMacServer:/tmp tmartin$ firefox
    -bash: firefox: command not found
    PowerMacServer:/tmp tmartin$ 
     
  2. semaja2 macrumors 6502a

    Joined:
    Dec 12, 2005
    Location:
    Adelaide
    #2
    If it was a hacker, how did they get control of your desktop, i mean SSH is one thing but the desktop?

    What services do you have enabled?

    PS. seems who ever was doing it was not very smart as he must of thought he was root :p thats why none of the commands worked for him i believe

    PSS. if you have not restarted yet, GRAB THAT TMP FILE that tmp file will help reveal what he was trying to do in the last step so just open finder to /tmp and grab the root.rb file
     
  3. mduser63 macrumors 68040

    mduser63

    Joined:
    Nov 9, 2004
    Location:
    Salt Lake City, UT
    #3
    Assuming you're not trying to fake us out, it does look like somebody tried to hack your machine. It looks to me like they thought/assumed OS X is just the same as a Linux machine as they were trying a bunch of commands/looking for paths that are common on Linux but not OS X. Do you have Remote Desktop on? He apparently had access to the GUI (SSH access wouldn't have resulted in an open Terminal.app window).
     
  4. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #4
    It seems much more likely that someone is lying to you and used the computer from inside your home than over the internet.

    Do you mean that you unplugged the computer from the internet *after* you found this? Certainly it didn't happen over the net if it wasn't on the net to begin with. ;) What kind of network configuration do you have? If you have a router and you haven't opened ports from the outside world to that Mac, you can pretty much rule out an external hacker also.
     
  5. killmoms macrumors 68040

    killmoms

    Joined:
    Jun 23, 2003
    Location:
    Washington, DC
    #5
    Plus, unless you have the Remote Desktop VNC server on and available to the outside world (or some other VNC server) with an insecure password, he wouldn't have been able to interact w/ the desktop. I'd say this is an inside job.
     
  6. oceanmonster macrumors regular

    Joined:
    Jan 15, 2007
    #6
    Is your os x firewall on? You turn it on in the sharing pane of the System Prefs.
     
  7. Fearless Leader thread starter macrumors 68020

    Joined:
    Mar 21, 2006
    Location:
    Hoosiertown
    #7
    well it is a server. I just have DNS, Web Ocasionally, AFP, and Opendirectory as my only services. No guest access. I had my vnc off at the time, I think because I remember working directly on the system and whould have turned it off. Is that tmp file deleted after reboot Cuase i did and can't find it? I'll try data rescue. Im sure no one did this who had physical access to the machine. I'm the only one in my family who knows anything about macs. They just wouldn't be capable of such a thing.

    And yes it was plugged in to net at the time. I'm not sure but I think I put in the DMZ a while ago. I'll check.

    Update: It was in the DMZ. And I think the firewall was off, It was off when I came to it. I think I was working on something and turned it off before I left for the weekend last Wed.

    does anyone know what he was trying to do or if it worked?

    ps Those files are gone.

    Lol. I'm so glad I didn't put xcode On that machine. I'm just gonna reinstall to be safe, but from the looks of it nothing was really achieved.
     
  8. jeremy.king macrumors 603

    jeremy.king

    Joined:
    Jul 23, 2002
    Location:
    Fuquay Varina, NC
    #8
    Well, looks like you left your machine wide open to the world, most likely with VNC enabled since you had GUI apps launched, and to top it all off, you must have had a weak password that was easily guessed on the second try???

    Consider it a lesson learned that securing a "server" is not something to be taken lightly.
     
  9. Fearless Leader thread starter macrumors 68020

    Joined:
    Mar 21, 2006
    Location:
    Hoosiertown
    #9
    my password is nine characters long with both letters and numbers.
     
  10. bousozoku Moderator emeritus

    Joined:
    Jun 25, 2002
    Location:
    Gone but not forgotten.
    #10
    It looks like someone with recent Linux experience. At first, they were just trying to assess what was available on the system and your shell login settings.

    It looks as if he was attempting to replace pmTool, which is run by Activity Monitor to collect performance statistics but thankfully, you didn't have the development tools installed.
     

Share This Page