[MacTUG] a hacked lab mac?

[Donald Duff-McCracken]

Hi Steve

Thanks for the suggestions!

Checking out the secure.log I realized I was getting hammered by invalid attempts to log on to the machine.

There was over 7000 attempts in the secure.log alone since Dec 20 when I rebuilt the machine. (They must have been targeting this before as they started immediately.)

So I thought I would see how many attempts had hit my other machines. FYI, running the following unix command as root, btw, does the trick in ARD:
cat /private/var/log/secure.log | grep "invalid" | wc –l

At any rate, what was interesting was that of my 50 or so machines, only 2 had more than 110 attempts (one had 170 and one had 600), so this machine I am looking at looks like it was really hammered, I would say over 75% of all the attempts of all my Macs have been this poor baby.

Like I said, it looks like I was able to run ARD on this machine at 11:58 and then by a bit after noon I was locked out. I wonder if it grabbed the password that ARD was sending to it?

I have turned on the firewall (a common complaint of Marko's is that Apple does not turn it on by default, and oops, I forgot to on this rebuild — sorry, Marko, if you are reading this, haha). I did turn it on now, this command in ARD seems to do the trick -- sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1
Hopefully that will shut these guys up a bit.

So the hunt continues ;-)

don
------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
http://www.environment.uwaterloo.ca/computing/people/don.html
------------
To request help from MAD please us Request Tracker. For info see: http://www.environment.uwaterloo.ca/computing/faculty_staff/<http://www.fes.uwaterloo.ca/computing/faculty_staff/>
------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.

From: Steve Hellyer <phasetwo at apple.com<mailto:phasetwo at apple.com>>
Date: Tue, 22 Mar 2011 11:25:02 -0400
To: MacTUG <mactug at mailman.uwaterloo.ca<mailto:mactug at mailman.uwaterloo.ca>>
Subject: Re: [MacTUG] a hacked lab mac?

Hi Don,

You can check various actions which require authorization in the secure.log and the archived secure.log.X.bz2 (Where X is number indicating archive) using console.
There is an Install.log too. :-)

Certain a good starting place for any investigation.

Question… Do you have SSH turned on the system for remote management?  Just wondering?

Steve

On 2011-03-22, at 10:58 AM, Donald Duff-McCracken wrote:

A few further comments, that make this rather interesting, and are leading me to think that the Mac had a brain-fart versus being attacked…

I checked my ARD task history, and the machine in question only started failing on the tasks yesterday. And here is the really weird one. At just before noon yesterday, using ARD I woke up all my machines, and this machine reported back that it succeeded in updating. To me this is a clear indication that the admin password (which is the only way one can remote to the machine) was intact. Two minutes later I told all the machines (via ARD) to do a software update, and this is when the machine in question started failing in being able to do tasks. So within a 2 minute period, ARD was unable to access the machine.

What is really interesting is that when I log on to this machine as root and check its remote management settings, it is set to not allow any access. Usually I tell the Mac to "Allow access for Only these users:" and then have the admin account listed. On the Mac in question, there is no admin account listed in the window. Weird, eh?

And yes, the password for the admin account in question does not work when one logs in using the keyboard.


------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
http://www.environment.uwaterloo.ca/computing/people/don.html
------------
To request help from MAD please us Request Tracker. For info see: http://www.environment.uwaterloo.ca/computing/faculty_staff/<http://www.fes.uwaterloo.ca/computing/faculty_staff/>
------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.

From: Donald Duff-McCracken <dsmccrac at uwaterloo.ca<mailto:dsmccrac at uwaterloo.ca>>
Date: Tue, 22 Mar 2011 13:40:13 +0000
To: MacTUG <mactug at mailman.uwaterloo.ca<mailto:mactug at mailman.uwaterloo.ca>>
Subject: [MacTUG] a hacked lab mac?

Hi guys,

I am experiencing something that I have never had to deal with before, and that is the possibility that an admin account on one of my lab Macs has been cracked. There is a machine in the lab that my main admin account that has has the password changed or corrupted. The Mac has an open-firmware password (and one that is different than the admin password), so it is not as simple as someone bringing in a OS X disk and booting from it to reset a password.

I am going to pull the machine for a while and would like to try to figure out what is going on. Can anyone give me some hints as to where to look forensically for any clues?

I doubt I can catch who did this but I would like to at least have a clue how they did this. Likely I will replace this password in my labs (ASAP) anyway, but it would be nice to have an idea whether the password is known before it was reset. It is certainly possible that someone used a low-tech solution (such as spying when someone was typing in the password). So, for example, if I could tell from the logs that the password was reset in the normal manner — where you type the old password and then enter the new one — that would be of interest. If I could determine whether it was happening locally or remotely that would be of use as well.

We do have video cameras in that room, so if I could get a time stamp on things, that may be useful as well.

Lastly, if anyone can think of a way that a password could become corrupted without some evil student being involved, that would be really awesome.

BTW, I still can log on to the machine as an admin, as I enabled Root and that account has not had it password changed. We rarely use the Root account (it is just there as a back door for me for this kind of purpose) so I am guessing that whoever did this did not know it was enabled.

At any rate, any tips or suggestions would be appreciated…
don

------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
http://www.environment.uwaterloo.ca/computing/people/don.html
------------
To request help from MAD please us Request Tracker. For info see: http://www.environment.uwaterloo.ca/computing/faculty_staff/<http://www.fes.uwaterloo.ca/computing/faculty_staff/>
------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
_______________________________________________ MacTUG mailing list MacTUG at lists.uwaterloo.ca<mailto:MacTUG at lists.uwaterloo.ca> https://lists.uwaterloo.ca/mailman/listinfo/mactug
_______________________________________________
MacTUG mailing list
MacTUG at lists.uwaterloo.ca<mailto:MacTUG at lists.uwaterloo.ca>
https://lists.uwaterloo.ca/mailman/listinfo/mactug


-------------------------------------------------------
Steve Hellyer
Pre-Sales Systems Engineer
Education Division (Higher Education)
Apple Canada Inc.
7495 Birchmount Rd.
Markham, Ontario, Canada
L3R 5G2

PH: (905)513-5647
Mailto: phasetwo at apple.com<mailto:phasetwo at apple.com>

Training Websites
http://training.apple.com/
http://www.witzapplecertifiedtraining.com/<http://training.apple.com/>

AppleCare Online Support
http://www.apple.com/ca/support/

AppleCare Technical Phone Support
tel:1-800-263-3394  (basic up and running support for individual consumers)

AppleCare Enterprise Level Support
http://www.apple.com/ca/support/products/macosxserver_sw_supt.html<http://www.apple.com/ca/support/products/>

AppleCare Service Locations (Canada)
http://www.apple.com/ca/buy/locator/<http://wheretobuy.apple.com/ca_locator/service.html>



_______________________________________________ MacTUG mailing list MacTUG at lists.uwaterloo.ca<mailto:MacTUG at lists.uwaterloo.ca> https://lists.uwaterloo.ca/mailman/listinfo/mactug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.uwaterloo.ca/pipermail/mactug/attachments/20110322/191db365/attachment-0001.html