Is this this year's April Fools issue by Lee Larson? Marta
On Mar 31, 2006, at 1:35 PM, Lee Larson wrote: > Here's a tale that should make everyone a little more cautious. > > Last evening I was doing some computations on the dual G5 machine > in my office, when I noticed it was running a little slow. Using > the terminal, I took a peek at what was using up the CPU and saw a > strange process called x that was hogging over 50% of the > resources. Not knowing what it was, I determined that it was coming > from an account used by my kids, and it was a background process, > not connected to any terminal or open windows. There were also a > large number of strange machines connected to the G5. I killed the > process immediately and searched for a program called x. > > After some work--do a search on all programs containing x in their > names, if you doubt me--I found it in a directory called /var/tmp/ > darwin. The suspicious directory is accompanied by a file called > fabyan.tgz that's the compressed tar archive of the darwin > directory. The /var/tmp/darwin directory contains x and the C > source code for x. > > After reading through the files in the darwin directory, it didn't > take long to figure out that x is really a program called > EnergyMech [1], which turns your machine into a full-featured IRC bot. > > So, how did it get there? > > I figured it was done from the outside with an SSH connection, so I > looked at the .bash_history file in the kid's account. Sure enough, > the whole sordid history of the thing was still there--showing the > cracker was a real amateur. Apparently she was able to brute-force > guess the password on the account, because a few weeks ago, without > my knowledge, it had been changed to something really easy. > > Thanks to the bash log that was left behind, I know everything she > did, and I was able to clean it all up. Since Mac OS X has strong > account boundaries, all the stuff she did was confined to the kid's > account. The account now has a difficult password and I don't > expect any more midnight visits from the IRC fairy. > > The moral is this: If you have a Mac sitting on a cable or DSL or > other always-on connection and you want to keep the IRC fairy away, > then make sure your passwords can't be easily guessed. > > > [1] <http://www.energymech.net/> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.math.louisville.edu/pipermail/macgroup/attachments/20060331/01316dd7/attachment.html
