Lee, Quite frankly, I'm envious of all that expertise that enabled you to figure out the problem! If something like that were to happen to me, I wouldn't have had the first clue as to how to troubleshoot it....job security for all the tech support folk out there, I guess. Thanks for the heads up!
Ciao for now! Cathy GREEN ;-) Atherton HS French 3000 Dundee Rd Louisville, KY 40205 502.485.8202ext204 fax 502.485.8985 cgreen1 at jefferson.k12.ky.us > ---------- > From: owner-macgroup at erdos.math.louisville.edu on behalf of Lee > Larson > Reply To: macgroup at erdos.math.louisville.edu > Sent: Friday, March 31, 2006 1:35 PM > To: Macgroup > Subject: MacGroup: Be careful out there! [bcc][faked-from] > > Here's a tale that should make everyone a little more cautious. > > Last evening I was doing some computations on the dual G5 machine in > my office, when I noticed it was running a little slow. Using the > terminal, I took a peek at what was using up the CPU and saw a > strange process called x that was hogging over 50% of the resources. > Not knowing what it was, I determined that it was coming from an > account used by my kids, and it was a background process, not > connected to any terminal or open windows. There were also a large > number of strange machines connected to the G5. I killed the process > immediately and searched for a program called x. > > After some work--do a search on all programs containing x in their > names, if you doubt me--I found it in a directory called /var/tmp/ > darwin. The suspicious directory is accompanied by a file called > fabyan.tgz that's the compressed tar archive of the darwin directory. > The /var/tmp/darwin directory contains x and the C source code for x. > > After reading through the files in the darwin directory, it didn't > take long to figure out that x is really a program called EnergyMech > [1], which turns your machine into a full-featured IRC bot. > > So, how did it get there? > > I figured it was done from the outside with an SSH connection, so I > looked at the .bash_history file in the kid's account. Sure enough, > the whole sordid history of the thing was still there--showing the > cracker was a real amateur. Apparently she was able to brute-force > guess the password on the account, because a few weeks ago, without > my knowledge, it had been changed to something really easy. > > Thanks to the bash log that was left behind, I know everything she > did, and I was able to clean it all up. Since Mac OS X has strong > account boundaries, all the stuff she did was confined to the kid's > account. The account now has a difficult password and I don't expect > any more midnight visits from the IRC fairy. > > The moral is this: If you have a Mac sitting on a cable or DSL or > other always-on connection and you want to keep the IRC fairy away, > then make sure your passwords can't be easily guessed. > > > [1] <http://www.energymech.net/> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.math.louisville.edu/pipermail/macgroup/attachments/20060331/43b3e787/attachment.html
