What just Happened?

[Fearless Leader]

I come home to my mac today and found a terminal window open and a safari window. Asked my family if they had used my mac and they had not. The safari window was a yahoo search for some .exe file. And In the terminal window it appears someone got in. Ruby commands were ran passwords changed. It's currently unplugged from the net.

Last login: Thu Jan 18 19:10:02 on ttyp1
Welcome to Darwin!
PowerMacServer:~ tmartin$ id
uid=501(tmartin) gid=501(tmartin) groups=501(tmartin), 81(appserveradm), 79(appserverusr), 80(admin)
PowerMacServer:~ tmartin$ uname -a
Darwin PowerMacServer.thestupidmonkey.com 8.8.0 Darwin Kernel Version 8.8.0: Fri Sep  8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC Power Macintosh powerpc
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ cat /etc/issue.net
cat: /etc/issue.net: No such file or directory
PowerMacServer:~ tmartin$ set
BASH=/bin/bash
BASH_VERSINFO=([0]="2" [1]="05b" [2]="0" [3]="1" [4]="release" [5]="powerpc-apple-darwin8.0")
BASH_VERSION='2.05b.0(1)-release'
COLUMNS=80
DIRSTACK=()
EUID=501
GROUPS=()
HISTFILE=/Users/tmartin/.bash_history
HISTFILESIZE=500
HISTSIZE=500
HOME=/Users/tmartin
HOSTNAME=PowerMacServer.thestupidmonkey.com
HOSTTYPE=powerpc
IFS=$' \t\n'
LINES=24
LOGNAME=tmartin
MACHTYPE=powerpc-apple-darwin8.0
MAILCHECK=60
OPTERR=1
OPTIND=1
OSTYPE=darwin8.0
PATH=/bin:/sbin:/usr/bin:/usr/sbin
PIPESTATUS=([0]="1")
PPID=6859
PS1='\h:\w \u\$ '
PS2='> '
PS4='+ '
PWD=/Users/tmartin
SECURITYSESSIONID=4190c0
SHELL=/bin/bash
SHELLOPTS=braceexpand:emacs:hashall:histexpand:history:interactive-comments:monitor
SHLVL=1
TERM=xterm-color
TERM_PROGRAM=Apple_Terminal
TERM_PROGRAM_VERSION=133
UID=501
USER=tmartin
_=/etc/issue.net
__CF_USER_TEXT_ENCODING=0x1F5:0:0
PowerMacServer:~ tmartin$ gcc
-bash: gcc: command not found
PowerMacServer:~ tmartin$ perl
^C
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ cat /etc/passwd
##
# User Database
# 
# Note that this file is consulted when the system is running in single-user
# mode.  At other times this information is handled by one or more of:
# lookupd DirectoryServices  
# By default, lookupd gets information from NetInfo, so this file will 
# not be consulted unless you have changed lookupd's configuration.
# This file is used while in single user mode.
#
# To use this file for normal authentication, you may enable it with
# /Applications/Utilities/Directory Access.
##
nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false
postfix:*:27:27:Postfix User:/var/spool/postfix:/usr/bin/false
www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false
eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false
mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false
sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
cyrusimap:*:77:6:Cyrus IMAP User:/var/imap:/usr/bin/false
mailman:*:78:78:Mailman user:/var/empty:/usr/bin/false
appserver:*:79:79:Application Server:/var/empty:/usr/bin/false
clamav:*:82:82:Clamav User:/var/virusmails:/bin/tcsh
amavisd:*:83:83:Amavisd User:/var/virusmails:/bin/tcsh
jabber:*:84:84:Jabber User:/var/empty:/usr/bin/false
xgridcontroller:*:85:85:Xgrid Controller:/var/xgrid/controller:/usr/bin/false
xgridagent:*:86:86:Xgrid Agent:/var/xgrid/agent:/usr/bin/false
appowner:*:87:87:Application Owner:/var/empty:/usr/bin/false
windowserver:*:88:88:WindowServer:/var/empty:/usr/bin/false
tokend:*:91:91:Token Daemon:/var/empty:/usr/bin/false
securityagent:*:92:92:SecurityAgent:/var/empty:/usr/bin/false
unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
PowerMacServer:~ tmartin$ id
uid=501(tmartin) gid=501(tmartin) groups=501(tmartin), 81(appserveradm), 79(appserverusr), 80(admin)
PowerMacServer:~ tmartin$ adduser
-bash: adduser: command not found
PowerMacServer:~ tmartin$ useradd
-bash: useradd: command not found
PowerMacServer:~ tmartin$ passwd mailman
Changing password for mailman.
password for tmartin:
New password:
Retype new password:
Sorry
PowerMacServer:~ tmartin$ passwd mailman
Changing password for mailman.
password for tmartin:
New password:

PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ 
PowerMacServer:~ tmartin$ ls -al /usr/bin/ruby
-rwxr-xr-x   1 root  wheel  13812 Apr 18  2006 /usr/bin/ruby
PowerMacServer:~ tmartin$ cd /etc
PowerMacServer:/etc tmartin$ ls
6to4.conf                       named.conf
AFP.conf                        nanorc
IPAliases.conf.default          nat
MailServicesOther.plist         networks
X11                             notify.conf
afpovertcp.cfg                  ntp.conf
aliases                         openldap
aliases.db                      pam.d
amavisd.conf                    passwd
amavisd.conf.personal           pear.conf
authorization                   periodic
authorization.cac               php.ini.default
bashrc                          postfix
certificates                    ppp
clamav.conf                     printcap
crontab                         profile
csh.cshrc                       protocols
csh.login                       racoon
csh.logout                      rc
cups                            rc.common
cyrus.conf                      rc.netboot
cyrus.conf.default              rc.shutdown
daily                           resolv.conf
defaults                        rmtab
diskspacemonitor                rndc.key
dumpdates                       rpc
efax.rc                         rtadvd.conf
find.codes                      servermgrd
fonts                           services
freshclam.conf                  shells
fstab.hd                        shells.personal
ftpusers                        slpsa.conf
gettytab                        smb.conf
group                           smb.conf.template
hostconfig                      snmpd.conf
hostconfig.personal             spam
hosts                           squirrelmail
hosts.equiv                     ssh_config
hosts.lpd                       ssh_host_dsa_key
httpd                           ssh_host_dsa_key.pub
hwmond.SMART                    ssh_host_key
imapd.conf                      ssh_host_key.pub
imapd.conf.default              ssh_host_rsa_key
imapd.conf.personal             ssh_host_rsa_key.pub
inetd.conf                      sshd_config
ipfilter                        sshd_config.bak
jabber                          sshd_config.personal
kcpassword                      sudoers
kern_loader.conf                swupd
krb5.keytab                     sysctl-macosxserver.conf
localtime                       syslog.conf
mach_init.d                     systemserialnumbers
mach_init_per_user.d            ttys
mail                            webperfcache
mail.rc                         weekly
master.passwd                   xgrid
memberd.conf                    xinetd.conf
moduli                          xinetd.d
monthly                         xinetd.d-migrated2launchd
motd                            xtab
mysqlManager.plist.default
PowerMacServer:/etc tmartin$ cat proc/version
cat: proc/version: No such file or directory
PowerMacServer:/etc tmartin$ cat /proc/version
cat: /proc/version: No such file or directory
PowerMacServer:/etc tmartin$ uname 
Darwin
PowerMacServer:/etc tmartin$ uname  -a
Darwin PowerMacServer.thestupidmonkey.com 8.8.0 Darwin Kernel Version 8.8.0: Fri Sep  8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC Power Macintosh powerpc
PowerMacServer:/etc tmartin$ wget
-bash: wget: command not found
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ lynx
-bash: lynx: command not found
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ curl
curl: try 'curl --help' or 'curl --manual' for more information
PowerMacServer:/etc tmartin$ kedit
-bash: kedit: command not found
PowerMacServer:/etc tmartin$ vim
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ 
PowerMacServer:/etc tmartin$ vi ss.txt
PowerMacServer:/etc tmartin$ pwd
/etc
PowerMacServer:/etc tmartin$ cd /home
-bash: cd: /home: No such file or directory
PowerMacServer:/etc tmartin$ ls
6to4.conf                       named.conf
AFP.conf                        nanorc
IPAliases.conf.default          nat
MailServicesOther.plist         networks
X11                             notify.conf
afpovertcp.cfg                  ntp.conf
aliases                         openldap
aliases.db                      pam.d
amavisd.conf                    passwd
amavisd.conf.personal           pear.conf
authorization                   periodic
authorization.cac               php.ini.default
bashrc                          postfix
certificates                    ppp
clamav.conf                     printcap
crontab                         profile
csh.cshrc                       protocols
csh.login                       racoon
csh.logout                      rc
cups                            rc.common
cyrus.conf                      rc.netboot
cyrus.conf.default              rc.shutdown
daily                           resolv.conf
defaults                        rmtab
diskspacemonitor                rndc.key
dumpdates                       rpc
efax.rc                         rtadvd.conf
find.codes                      servermgrd
fonts                           services
freshclam.conf                  shells
fstab.hd                        shells.personal
ftpusers                        slpsa.conf
gettytab                        smb.conf
group                           smb.conf.template
hostconfig                      snmpd.conf
hostconfig.personal             spam
hosts                           squirrelmail
hosts.equiv                     ssh_config
hosts.lpd                       ssh_host_dsa_key
httpd                           ssh_host_dsa_key.pub
hwmond.SMART                    ssh_host_key
imapd.conf                      ssh_host_key.pub
imapd.conf.default              ssh_host_rsa_key
imapd.conf.personal             ssh_host_rsa_key.pub
inetd.conf                      sshd_config
ipfilter                        sshd_config.bak
jabber                          sshd_config.personal
kcpassword                      sudoers
kern_loader.conf                swupd
krb5.keytab                     sysctl-macosxserver.conf
localtime                       syslog.conf
mach_init.d                     systemserialnumbers
mach_init_per_user.d            ttys
mail                            webperfcache
mail.rc                         weekly
master.passwd                   xgrid
memberd.conf                    xinetd.conf
moduli                          xinetd.d
monthly                         xinetd.d-migrated2launchd
motd                            xtab
mysqlManager.plist.default
PowerMacServer:/etc tmartin$ cd /
PowerMacServer:/ tmartin$ ls
Applications    Network         automount       flash           private
Desktop DB      Shared Items    bin             mach            sbin
Desktop DF      System          cores           mach.sym        tmp
Groups          Users           dev             mach_kernel     usr
Library         Volumes         etc             opt             var
PowerMacServer:/ tmartin$ cd /tmp
PowerMacServer:/tmp tmartin$ ls
hsperfdata_appserver    objc_sharing_ppc_79
objc_sharing_ppc_501    objc_sharing_ppc_92
PowerMacServer:/tmp tmartin$ vi root.rb
PowerMacServer:/tmp tmartin$ ruby root.rb
++ Starting: /Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool
++ Back-up:  /tmp/pmTool
++ Compiling a shell wrapper at /tmp/o...
sh: line 1: gcc: command not found
++ Placing backdoor...
/usr/lib/ruby/1.8/fileutils.rb:525:in `stat': No such file or directory - /tmp/o (Errno::ENOENT)
        from /usr/lib/ruby/1.8/fileutils.rb:525:in `stat'
        from /usr/lib/ruby/1.8/fileutils.rb:511:in `preserve'
        from /usr/lib/ruby/1.8/fileutils.rb:455:in `copy_entry'
        from /usr/lib/ruby/1.8/fileutils.rb:416:in `copy_entry'
        from /usr/lib/ruby/1.8/fileutils.rb:584:in `mv'
        from /usr/lib/ruby/1.8/fileutils.rb:572:in `fu_each_src_dest'
        from /usr/lib/ruby/1.8/fileutils.rb:845:in `fu_each_src_dest0'
        from /usr/lib/ruby/1.8/fileutils.rb:845:in `fu_each_src_dest'
        from /usr/lib/ruby/1.8/fileutils.rb:572:in `mv'
        from root.rb:65
PowerMacServer:/tmp tmartin$ gcc
-bash: gcc: command not found
PowerMacServer:/tmp tmartin$ firefox
-bash: firefox: command not found
PowerMacServer:/tmp tmartin$

 

[semaja2]

If it was a hacker, how did they get control of your desktop, i mean SSH is one thing but the desktop?

What services do you have enabled?

PS. seems who ever was doing it was not very smart as he must of thought he was root thats why none of the commands worked for him i believe

PSS. if you have not restarted yet, GRAB THAT TMP FILE that tmp file will help reveal what he was trying to do in the last step so just open finder to /tmp and grab the root.rb file

 

[mduser63]

Assuming you're not trying to fake us out, it does look like somebody tried to hack your machine. It looks to me like they thought/assumed OS X is just the same as a Linux machine as they were trying a bunch of commands/looking for paths that are common on Linux but not OS X. Do you have Remote Desktop on? He apparently had access to the GUI (SSH access wouldn't have resulted in an open Terminal.app window).

 

[mkrishnan]

It seems much more likely that someone is lying to you and used the computer from inside your home than over the internet.

Do you mean that you unplugged the computer from the internet *after* you found this? Certainly it didn't happen over the net if it wasn't on the net to begin with. What kind of network configuration do you have? If you have a router and you haven't opened ports from the outside world to that Mac, you can pretty much rule out an external hacker also.

 

[killmoms]

Plus, unless you have the Remote Desktop VNC server on and available to the outside world (or some other VNC server) with an insecure password, he wouldn't have been able to interact w/ the desktop. I'd say this is an inside job.

 

[oceanmonster]

Is your os x firewall on? You turn it on in the sharing pane of the System Prefs.

 

[Fearless Leader]

well it is a server. I just have DNS, Web Ocasionally, AFP, and Opendirectory as my only services. No guest access. I had my vnc off at the time, I think because I remember working directly on the system and whould have turned it off. Is that tmp file deleted after reboot Cuase i did and can't find it? I'll try data rescue. Im sure no one did this who had physical access to the machine. I'm the only one in my family who knows anything about macs. They just wouldn't be capable of such a thing.

And yes it was plugged in to net at the time. I'm not sure but I think I put in the DMZ a while ago. I'll check.

Update: It was in the DMZ. And I think the firewall was off, It was off when I came to it. I think I was working on something and turned it off before I left for the weekend last Wed.

does anyone know what he was trying to do or if it worked?

ps Those files are gone.

Lol. I'm so glad I didn't put xcode On that machine. I'm just gonna reinstall to be safe, but from the looks of it nothing was really achieved.

 

[jeremy.king]

Update: It was in the DMZ. And I think the firewall was off, It was off when I came to it. I think I was working on something and turned it off before I left for the weekend last Wed.

Well, looks like you left your machine wide open to the world, most likely with VNC enabled since you had GUI apps launched, and to top it all off, you must have had a weak password that was easily guessed on the second try???

Consider it a lesson learned that securing a "server" is not something to be taken lightly.

 

[Fearless Leader]

my password is nine characters long with both letters and numbers.

 

[bousozoku]

It looks like someone with recent Linux experience. At first, they were just trying to assess what was available on the system and your shell login settings.

It looks as if he was attempting to replace pmTool, which is run by Activity Monitor to collect performance statistics but thankfully, you didn't have the development tools installed.