HI all. After a two-month absence, I'm back, and I've got a problem.
I recently discovered a copy of PsyBNC, an IRC client, installed in
/private/var/tmp/ on a client's Xserve running MOSXS v.10.3.9 on a
public IP address. Simultaneously, I noticed that a file named
"pula" had been created in /tmp, the beginning text of which is the
following:
Just about anything can has permissions to write to temp, and Safari
scratches data there too.
#!/usr/bin/perl
#
# ShellBOT - FBI TEAM Corporation
#
# 0ldW0lf - email@hidden
# - www.security.cnc.net
#
#
#
################ CONFIGURACAO
#################################################################
my $processo = '/usr/local/apache/bin/httpd -DSSL';
# Nome do processo que vai aparece no ps #
#----------------------------------------------################################################
my $linas_max='8'; # Evita o flood :)
depois de X linhas #
#----------------------------------------------################################################
my $sleep='4'; # ele dorme X
segundos #
##################### IRC
#####################################################################
my @adms=("bujuzip"); # Nick do
administrador #
I have the full text of the file to share with anyone who wants it.
The end result was that this jackass was able to relay spam from the
server for a couple of hours before I discovered him. I immediately
took the machine off the network, removed all suspect files, and
reset all passwords, including admins, non-admins, and root.
Did you reboot to stop any running processes, et al?
And before all this did you take a complete snapshot of the running
system for forensics and possible legal action, audit, or required
post-incident security requirements? (For isntance if you proces
credit card or personal data of customers you may have specific
compliance issues to deal with.)
Since reconnecting the box to the network and rebooting it, I've
seen no more problems. As usual, the logs are filled with the
harmless attempts of jerks trying to log in to the server by
brute-forcing passwords and users, but that's it. My questions are:
1. How can something like this happen?
Trojan Horse.
Users who have permissions to do things on your computers can start
whatever processes that want, and if they're stupidly executing
untrusted code, and that include tools that have the ability to
download and execute files from the network, like IRC, AIM, email,
..., that can be used to execute code w/o the stupid user
knowing/caring.
I say stupid hear b/c if your users are blindly executing untrusted
code, your users need serious education.
2. How can I prevent it from happening again?
Don't be stupid. Don't run untrusted code, or use tools and apps that
have the ability to do so.
3. Should I worry about the box being compromised in some other way?
What could I have missed?
Reboot it.
Examine the code and look for other traces, especially in user files and logs.
I've been keeping up with all security patches, and the machine is
running a bone stock Apple implementation, except for a customized
Postfix main.cf/master.cf setup for spam and virus filtering with
SpamAssassin v.3.0.2 (running on Perl v.5.8.1), and ClamAV v.0.83
(on my list of things to up-grade).
It's not an issue of system security, but user security. Your system
wasn't compromised, but a user was exploited. All of the above runs
in user land. It's your user(s) that have done this, either
maliciously or stupidly from insecure practices.
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.iwiring.net/
email@hidden http://www.ustsvs.com/
iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
