Sunday, November 25, 2007

"pwned"?!

Ah, how I love humble-pie!

So it's all my fault. The day we get back from our Disneyland trip, I tell my parents and brother to turn on "Remote Login" on their home Macs so I can log in and copy the pictures to their computers over the internet. I love how connectable these machines are! Soon all the pictures are transferred and everyone's happy.

Um, ssh is "secure", so we don't really need to rush turning "remote login" back off -- right???

'Bout a month later my mom calls and says, "Uh, our computer is acting weird -- your dad can't log in until I reset his password, which I do, but then the next day it's broken again."

My heart sinks. That does *not* sound good! Hackers. Or bots.

So once I get there, I start poking through the logs. Guess what I find -- about a billion ssh login attempts for root, admin, and every other username you can imagine. On my brother's computer, the attempts started *less than 2 hours* after he turned on remote logins. Wow.

Upon further investigation, it looks like the hacker installed "energymech". All I could really recognize was a shell script that swaps out the /usr/bin/cron binary with a different one, and some config files authorizing some guys from undernet to do "stuff". I find other miscellaneous junk in /private/var/tmp, but no porn/mp3/spam stashes like I would've expected. What else would bots do? DoS attacks? We reinstalled the OSes in case they mucked with any of the other OS binaries.

Lessons learned:

  1. My mom's machine was hacked, my brother's was not. Why? On my mom's machine all short usernames were the same as the passwords, but on my brother's they were different. It would've taken a *very* long time to match a correct username to a password on his machine. SSH is only as secure as your password. Bottom line: Don't make your username and password the same, and a complex password (has numbers, letters, and symbols) is better.
  2. The machines were found on the network within hours. Hours! There must be a *lot* of bots out there scanning the networks. Even with good passwords, once they find you they'll sit there and pound on your system until they find a match -- maybe for years? That's a lot of junk traffic wasting bandwidth on your network. I'll bet, though, if the ports are closed, they move on. Bottom line: Leave network ports ("Sharing" options) closed unless you need them open.
  3. Even getting bit like this, I'd still rather have a Mac than a PC. I'm pretty sure my sister-in-law's PC is already virused/botted, and with 100k+ spyware packages for Windows, I don't trust a single thing that happens on that machine. Bottom line: The Mac isn't inherently insecure, it was me that was insecure. And you might be the weakest link in your system's security too.

A lesson I won't soon forget.

ps. Note, those with routers between their modems and their computers have to do extra steps to allow remote logins, i.e. instruct the router to pass traffic for the ssh ports on to your particular computer. If you don't know how to do that, there's a good chance this won't affect you.

pps. I wonder why OS X doesn't watch the security logs, and after a dozen or so unsuccessful logins under various names, advise the user that someone (or some machine) may be trying to hack in. I'd much rather click a button that says, "I know, don't tell me again", than find out a month later that a million attempts had been made to get into my machine when I had no idea... A lockout of IP addresses that have met some "hacking" criteria would be nice too. And why aren't the ISPs blacklisting machines that are doing this stuff?

No comments:

Does anyone read this thing?

views since Feb. 9, 2008