[Intrusions] IRC bot on MacOS
Cody Hatch
bytejump at gmail.com
Fri Apr 22 18:32:41 GMT 2005
Have you done any forensics work? You mentioned that you upgraded -
was this IRC bot on your system before the upgrade?
It's easy to say "local root exploit" or "privilege elevation" but
it's a long way to go from a non-root user to root, or does the GUI
admin (basically using sudo) have the ability to install the things
necessary for a rootkit to function? I would think not, but I could be
wrong.
Basically, I'm interested to know what the local root exploit would
be. It likely be something 0-day if the rootkit was installed after
the upgrade.
Thanks,
Cody
On 4/22/05, Andrew Daviel <andrew at andrew.triumf.ca> wrote:
>
> Found an IRC bot "psybnc" on a MacOS machine. I'm struggling a bit as I
> don't know Macs and it got an automatic system upgrade a few days ago
> which trashed any logfiles. I suspect it's been running since before my
> network log rollover date, keeping a low profile until recently. The
> system has a firewall configured with a hole on 22 and 80; since Apple
> run sshd with xinetd, the rogue process was able to grab the port when it
> wasn't in use.
>
> So far I've disabled the backdoor/bot and blocked the machine on our
> router, but I'm not sure what the Mac boot sequence is to figure our how
> it's getting restarted, and I don't know the original exploit. Someone
> mentioned PHP, but I don't see any exposed PHP pages. There was a weak
> password on a user acount, but the attackers got root to run the bot. No
> attempt to hide as far as I can see.
>
> I could post network logs, but I think it's all boring IRC and
> SSH encrypted control stuff. Still looking for file timestamps etc., but
> as I say I think it's before the rollover so I'm out of luck unless
> there's more than one guy been trying.
>
> Anyone seen anything like this ? Any hints on tracing Mac bootup (I'm
> basically a Linux person...) ?
>
> --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376 (Pacific Time)
> security at triumf.ca
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list