Here's a tale that should make everyone a little more cautious. Last evening I was doing some computations on the dual G5 machine in my office, when I noticed it was running a little slow. Using the terminal, I took a peek at what was using up the CPU and saw a strange process called x that was hogging over 50% of the resources. Not knowing what it was, I determined that it was coming from an account used by my kids, and it was a background process, not connected to any terminal or open windows. There were also a large number of strange machines connected to the G5. I killed the process immediately and searched for a program called x.
After some work--do a search on all programs containing x in their names, if you doubt me--I found it in a directory called /var/tmp/ darwin. The suspicious directory is accompanied by a file called fabyan.tgz that's the compressed tar archive of the darwin directory. The /var/tmp/darwin directory contains x and the C source code for x. After reading through the files in the darwin directory, it didn't take long to figure out that x is really a program called EnergyMech [1], which turns your machine into a full-featured IRC bot. So, how did it get there? I figured it was done from the outside with an SSH connection, so I looked at the .bash_history file in the kid's account. Sure enough, the whole sordid history of the thing was still there--showing the cracker was a real amateur. Apparently she was able to brute-force guess the password on the account, because a few weeks ago, without my knowledge, it had been changed to something really easy. Thanks to the bash log that was left behind, I know everything she did, and I was able to clean it all up. Since Mac OS X has strong account boundaries, all the stuff she did was confined to the kid's account. The account now has a difficult password and I don't expect any more midnight visits from the IRC fairy. The moral is this: If you have a Mac sitting on a cable or DSL or other always-on connection and you want to keep the IRC fairy away, then make sure your passwords can't be easily guessed. [1] <http://www.energymech.net/> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2398 bytes Desc: not available Url : http://www.math.louisville.edu/pipermail/macgroup/attachments/20060331/fa2a540a/attachment.bin
