Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

OS X Server break-in: Probably isolated, but a heads-up
Infoworld ^ | April 15, 2008 | by Tom Yager

Posted on 04/16/2008 12:41:47 AM PDT by Swordmaker

On Sunday, I encountered a break-in on an Xserve running OS X Leopard Server 10.5.2. All Apple-issued fixes had been applied. I cannot locate the vector of intrusion, but following the break-in I noticed the following:

It's my suspicion that my system was placed under limited remote control via exploitation of a vulnerability, probably a manufactured one as no reported exploit exists, in Communigate Pro that allowed an attacker to submit very limited commands via SMTP and/or POP3. I think he was flying blind, unable to see the results of the commands he issued, and he therefore made rather slow progress. It was sloppy of him to change my administrative passwords while I was logged in. If I had missed his presence prior to that, that action would have given him away.

How he injected Communigate Pro into my system in the first place remains a troubling mystery.

I'm fairly confident that his original exploit and remote control vectors have been disarmed. Now it falls to me to discover any backdoors he's left behind. There is no sensitive data on this server, and it is not gatewayed to the rest of my network. Rather than reinstall the OS, I'm leaving my server on-line as it is, with all logs set to debug and privileged accounts disabled for non-console login, to see if the attacker has established another way in.

I don't have time right now to do more than this. Ironically, I'm doing a review of Xserve. This event does not color my opinion of Leopar or Leopard Server. I used canned OS X tools and methods to shut down the attack, so I feel the system is adequately armed to foil an attacker. I expect that the original vulnerability was of my own making.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS:

1 posted on 04/16/2008 12:41:47 AM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: 1234; 50mm; 6SJ7; Abundy; Action-America; aristotleman; af_vet_rr; Aggie Mama; afnamvet; ...
Possible remote break-in of a Mac OSX Server... PING!

I suspect this had local help... but it is NOT FUD.


Mac Warning Ping!

If you want on or off the Mac Ping List, Freepmail me.

2 posted on 04/16/2008 12:43:56 AM PDT by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Real interesting! Please tell me more!


3 posted on 04/16/2008 12:44:48 AM PDT by flowerplough (I suck at Photoshop)
[ Post Reply | Private Reply | To 1 | View Replies]

To: flowerplough

4 posted on 04/16/2008 1:03:51 AM PDT by Westlander (Unleash the Neutron Bomb)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Swordmaker

Oh this can’t be, this only happens to Windoze systems (snicker)...


5 posted on 04/16/2008 1:11:39 AM PDT by mkjessup (Jimmy Carter is the skidmark in the panties of American history.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

6 posted on 04/16/2008 1:39:52 AM PDT by kingattax (99 % of liberals give the rest a bad name)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

imho,

IMPRESSIVE CATCH AND WORK ON YOUR PART.

THX.


7 posted on 04/16/2008 3:17:36 AM PDT by Quix (GOD ALONE IS GOD; WORTHY; PAID THE PRICE; IS COMING AGAIN; KNOWS ALL; IS LOVING; IS ALTOGETHER GOOD)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
I changed the root password to the serial number on a $2 bill I received as a high school graduation gift...

Bet the writer has this $2 bill taped to the server faceplate.

8 posted on 04/16/2008 3:49:55 AM PDT by 6SJ7
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

They’re coming to get you, Barbara!


9 posted on 04/16/2008 4:38:56 AM PDT by MrBambaLaMamba (Hussein Obama for Caliph 2008!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: mkjessup
Oh, I think we in the Mac community have been expecting something like this.

A smart, malicious cracker will find a way to exploit OSX. The difference with Windows is that the cracker will be smart and the exploit will be eventually discovered, AND if you do have to reinstall the OS you are not going to be having a long talk with some guy in India trying to convince him you don't have a bootleg version.

10 posted on 04/16/2008 5:55:18 AM PDT by Tribune7 (How is inflicting pain and death on an innocent, helpless human being for profit, moral?)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Tribune7
"...if you do have to reinstall the OS you are not going to be having a long talk with some guy in India trying to convince him you don't have a bootleg version."

And if you make any "would you like a Slurpee with that" jokes, they just hang up on you, lol

I have to admit that I was mighty impressed with the iMac that I saw recently (24" display version), and while I'm not ready to make that jump, I'm giving it more serious consideration as a possible option in the future.

VERY nice:
Image Hosted by ImageShack.us
11 posted on 04/16/2008 7:07:16 AM PDT by mkjessup (Jimmy Carter is the skidmark in the panties of American history.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: mkjessup
would you like a Slurpee with that" jokes,

AND I have felt the temptation. LOL.

12 posted on 04/16/2008 7:15:35 AM PDT by Tribune7 (How is inflicting pain and death on an innocent, helpless human being for profit, moral?)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Tribune7

Ask them if they’re the announcer for Jerry Springer now, lol

fyi, Springer is employing a definite Indian voice for promos, voice-overs, etc., not that I watch such visual garbage, ;)


13 posted on 04/16/2008 7:19:17 AM PDT by mkjessup (Jimmy Carter is the skidmark in the panties of American history.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: Swordmaker

The fellow should wipe the box and re-install from media. There is no other way to be sure you’ve got rid of the attacker.


14 posted on 04/16/2008 7:33:37 AM PDT by zeugma (To be honest with you, I'd not shed a single tear if someone nuked Washington DC)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
I think it was. Mac OSX is inherently secure by design because everything needs user permission before it can run. That's also standard on Linux and only came on Windows with Vista. Its terrible practice to run an unsecured system. If you know the site or source is trusted, you can give that permission to run. Everything else should be untrusted by default.

"Show me just what Mohammed brought that was new, and there you will find things only evil and inhuman, such as his command to spread by the sword the faith he preached." - Manuel II Palelologus

15 posted on 04/16/2008 9:53:15 AM PDT by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives In My Heart Forever)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

It sounds like it either had local help, or someone used their login and password on an unsecured terminal.

If the sysadmin was running mail accounts for (local) users on the system, and someone logged in in the clear on an unsecured network or on an unsecured terminal, then that is all that is needed for a hacker to have access.

The best thing for the sysadmin to do would be to do a clean install, reimport user home folders from a backup, and then configure all user access to use:

1) different passwords than their user account password for accessing mail
2) mail over SSL

Just my thoughts.


16 posted on 04/17/2008 12:07:34 AM PDT by coconutt2000 (NO MORE PEACE FOR OIL!!! DOWN WITH TYRANTS, TERRORISTS, AND TIMIDCRATS!!!! (3-T's For World Peace))
[ Post Reply | Private Reply | To 2 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson