[MacTUG] a hacked lab mac?

Steve Hellyer phasetwo at apple.com
Tue Mar 22 11:25:02 EDT 2011 

Hi Don,

You can check various actions which require authorization in the secure.log and the archived secure.log.X.bz2 (Where X is number indicating archive) using console.
There is an Install.log too. :-)

Certain a good starting place for any investigation.

Question… Do you have SSH turned on the system for remote management?  Just wondering?

Steve

On 2011-03-22, at 10:58 AM, Donald Duff-McCracken wrote:

> A few further comments, that make this rather interesting, and are leading me to think that the Mac had a brain-fart versus being attacked…
> 
> I checked my ARD task history, and the machine in question only started failing on the tasks yesterday. And here is the really weird one. At just before noon yesterday, using ARD I woke up all my machines, and this machine reported back that it succeeded in updating. To me this is a clear indication that the admin password (which is the only way one can remote to the machine) was intact. Two minutes later I told all the machines (via ARD) to do a software update, and this is when the machine in question started failing in being able to do tasks. So within a 2 minute period, ARD was unable to access the machine.
> 
> What is really interesting is that when I log on to this machine as root and check its remote management settings, it is set to not allow any access. Usually I tell the Mac to "Allow access for Only these users:" and then have the admin account listed. On the Mac in question, there is no admin account listed in the window. Weird, eh?
> 
> And yes, the password for the admin account in question does not work when one logs in using the keyboard.
> 
> 
> ------------------------------------
> Donald Duff-McCracken 
> Technical Services Manager
> Mapping, Analysis & Design
> Faculty of Environment
> University of Waterloo
> (519) 888-4567 x32151
> http://www.environment.uwaterloo.ca/computing/people/don.html
> ------------
> To request help from MAD please us Request Tracker. For info see: http://www.environment.uwaterloo.ca/computing/faculty_staff/
> ------------
> This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately. 
> 
> From: Donald Duff-McCracken <dsmccrac at uwaterloo.ca>
> Date: Tue, 22 Mar 2011 13:40:13 +0000
> To: MacTUG <mactug at mailman.uwaterloo.ca>
> Subject: [MacTUG] a hacked lab mac?
> 
> Hi guys, 
> 
> I am experiencing something that I have never had to deal with before, and that is the possibility that an admin account on one of my lab Macs has been cracked. There is a machine in the lab that my main admin account that has has the password changed or corrupted. The Mac has an open-firmware password (and one that is different than the admin password), so it is not as simple as someone bringing in a OS X disk and booting from it to reset a password.
> 
> I am going to pull the machine for a while and would like to try to figure out what is going on. Can anyone give me some hints as to where to look forensically for any clues?
> 
> I doubt I can catch who did this but I would like to at least have a clue how they did this. Likely I will replace this password in my labs (ASAP) anyway, but it would be nice to have an idea whether the password is known before it was reset. It is certainly possible that someone used a low-tech solution (such as spying when someone was typing in the password). So, for example, if I could tell from the logs that the password was reset in the normal manner — where you type the old password and then enter the new one — that would be of interest. If I could determine whether it was happening locally or remotely that would be of use as well.
> 
> We do have video cameras in that room, so if I could get a time stamp on things, that may be useful as well.
> 
> Lastly, if anyone can think of a way that a password could become corrupted without some evil student being involved, that would be really awesome.
> 
> BTW, I still can log on to the machine as an admin, as I enabled Root and that account has not had it password changed. We rarely use the Root account (it is just there as a back door for me for this kind of purpose) so I am guessing that whoever did this did not know it was enabled.
> 
> At any rate, any tips or suggestions would be appreciated…
> don
> 
> ------------------------------------
> Donald Duff-McCracken 
> Technical Services Manager
> Mapping, Analysis & Design
> Faculty of Environment
> University of Waterloo
> (519) 888-4567 x32151
> http://www.environment.uwaterloo.ca/computing/people/don.html
> ------------
> To request help from MAD please us Request Tracker. For info see: http://www.environment.uwaterloo.ca/computing/faculty_staff/
> ------------
> This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately. 
> _______________________________________________ MacTUG mailing list MacTUG at lists.uwaterloo.ca https://lists.uwaterloo.ca/mailman/listinfo/mactug
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug


-------------------------------------------------------
Steve Hellyer
Pre-Sales Systems Engineer
Education Division (Higher Education)
Apple Canada Inc.
7495 Birchmount Rd.
Markham, Ontario, Canada
L3R 5G2

PH: (905)513-5647
Mailto: phasetwo at apple.com

Training Websites
http://training.apple.com/
http://www.witzapplecertifiedtraining.com/

AppleCare Online Support
http://www.apple.com/ca/support/

AppleCare Technical Phone Support
tel:1-800-263-3394  (basic up and running support for individual consumers)

AppleCare Enterprise Level Support
http://www.apple.com/ca/support/products/macosxserver_sw_supt.html

AppleCare Service Locations (Canada)
http://www.apple.com/ca/buy/locator/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.uwaterloo.ca/pipermail/mactug/attachments/20110322/f84adffe/attachment-0001.html

More information about the MacTUG mailing list