wiredfool

Guns in Paradise

Well, it’s happening. Malware on OSX.

A friend found an IRC relay daemon on his laptop running under the Guest user, with no recollection of ever setting such a thing up. Found it via LittleSnitch when it tried to connect out to some irc servers.

I have logs and an image of the account. But I don’t know how the account was created in the first place.

The attack sounds very similar to this message and remotely similar to this message. But with a little more skill.

A while ago, October 22 2005, to be exact a guest account was created. We’re not sure how this happened, nor are we completely sure that it was done maliciously, but it was done. The machine had ssh exposed to the world. It’s possible that the Guest user was created prior to this and their home directory was only pointed at /Users/Guest on 10/22 since I have ‘last’ records of a guest logging in as early as September from China. Most of the logs on this machine have rolled over, so there’s not a lot that I can do to figure out how the account got created.

On the 12th, it looks like someone tried to bruteforce ssh, then this morning psybnc was downloaded from al-ex.ws43.com, unpacked and run from the command line. Ws43.com is a domain name used by a hosting service for free or low cost hosting, so it’s not a terribly good clue. Someone from 193.254.42.69 connected and tried to access undernet’s irc. I do have earlier records of guest logins from that same address from earlier, so I’m thinking that this is more than one attack. That fits with the guest .bash_history, which makes it look like our intruder changed the guest password this morning just before he downloaded the irc tunnel.

So what we have is:

  • An apparently bruteforceable password, on an account that the owner doesn’t remember creating.
  • A sshd service that shouldn’t have been on.
  • 3 logins from a single ip address over the course of 6 months
  • A whois record from ws43.com giving a name that looks strikingly like the connection name on undernet.
  • And lots of links to .ro.

There’s nothing about this attack that’s particularly OSX specific. The details of the early stages aren’t terribly clear due to the passage of time, and fuzzy memories of what may have been turned on or who generated the account.

No comments

No comments yet. Be the first.

Leave a reply

You must be logged in to post a comment.