[Intrusions] IRC bot on MacOS
Andrew Daviel
andrew at andrew.triumf.ca
Fri Apr 22 09:12:11 GMT 2005
Found an IRC bot "psybnc" on a MacOS machine. I'm struggling a bit as I
don't know Macs and it got an automatic system upgrade a few days ago
which trashed any logfiles. I suspect it's been running since before my
network log rollover date, keeping a low profile until recently. The
system has a firewall configured with a hole on 22 and 80; since Apple
run sshd with xinetd, the rogue process was able to grab the port when it
wasn't in use.
So far I've disabled the backdoor/bot and blocked the machine on our
router, but I'm not sure what the Mac boot sequence is to figure our how
it's getting restarted, and I don't know the original exploit. Someone
mentioned PHP, but I don't see any exposed PHP pages. There was a weak
password on a user acount, but the attackers got root to run the bot. No
attempt to hide as far as I can see.
I could post network logs, but I think it's all boring IRC and
SSH encrypted control stuff. Still looking for file timestamps etc., but
as I say I think it's before the rollover so I'm out of luck unless
there's more than one guy been trying.
Anyone seen anything like this ? Any hints on tracing Mac bootup (I'm
basically a Linux person...) ?
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
More information about the Intrusions
mailing list