My OSX box was rooted
One of my OSX boxes was rooted. It was a lab workstation, one of two MDD 1.4HGz Dual G4's that lab members use as personal workstations, and that I use as a webserver and "cluster-in-a-box". We got a call from the local IT security yesterday; they had received a complaint from a chat-server company that one of their servers had been DoS'd the day before from a university computer. The offending IP address turned out to belong to our workstation.
I was rather skeptical, until I went though the Mac's logfiles and found several strange logins going back about three weeks. Then I found a strange process running under that strange login. When I found the strange executable in /private/var/tmp, it was among a pile of strange stuff, which included a UDP-flooding perl script and a game/chat/p2p server, which probably explained the strange executable.
Oops. Bad.
But manageable. Turns out I had made a BIG mistake when I set up the computer two years ago. I had made a "guest/guest" account, and failed to turn off remote login for that account. Dumb dumb dumb. The strange logins were all to that account, and the strange process and files were all owned by it. Some kiddie had obviously blasted every SSH server in sight with "guest/guest" and happened to stumble across one, ours, that let him login. I apologized profusely to the security guy for being skeptical, and changed the password to the account. I figured I would delete the account and the offending files, and be done with it. Then I came in the next morning, and found that some of the files had apparently deleted themselves.
Oops. Worse.
Either the kiddie had left a "dead-man" script, or our box was rooted six ways to Sunday. Wasn't the UNIX-y nature of OSX supposed to keep users in a sandbox? How hard is it for a regular user to root the system? I did some googling, and it turns out that, for Jaguar (which my box was running) it's almost trivially easy. Every user, even non-admins, can view the shortnames and password hashes for every account on the system, using "nidump". Once you have the admin hash, it's just a matter of downloading a hash-cracking program and going at it. I downloaded what seemed like the most popular one, and cracked my admin password hash in 2 minutes and 44 seconds. Less than three minutes from user to root, hardly breaking a sweat.
Oh shit.
So the IT security guys have taken the drive out to do forensics. They actually seemed tickled to have an excuse to learn about OSX. One of them even borrowed my copy of "OSX Unleashed". One of the bright spots of the whole thing was having the chance to watch real hard-core UNIX geeks at work. Damn was that cool. Lession one is that UNIX geeks rock.
Lesson two, which should have been obvious, is NEVER NEVER NEVER use a trivial password for any user account. Lesson three is UPGRADE TO PANTHER. Panther plugs this gaping security hole, by shadowing password hases. Only sudo/root can see the bare hashes, and if you're already sudo/root, who cares?
I hope someone can learn something from my humbling experince. All the goodness of OSX can't save a computer from the stupdity of its administrator, and even OSX has its warts.
I was rather skeptical, until I went though the Mac's logfiles and found several strange logins going back about three weeks. Then I found a strange process running under that strange login. When I found the strange executable in /private/var/tmp, it was among a pile of strange stuff, which included a UDP-flooding perl script and a game/chat/p2p server, which probably explained the strange executable.
Oops. Bad.
But manageable. Turns out I had made a BIG mistake when I set up the computer two years ago. I had made a "guest/guest" account, and failed to turn off remote login for that account. Dumb dumb dumb. The strange logins were all to that account, and the strange process and files were all owned by it. Some kiddie had obviously blasted every SSH server in sight with "guest/guest" and happened to stumble across one, ours, that let him login. I apologized profusely to the security guy for being skeptical, and changed the password to the account. I figured I would delete the account and the offending files, and be done with it. Then I came in the next morning, and found that some of the files had apparently deleted themselves.
Oops. Worse.
Either the kiddie had left a "dead-man" script, or our box was rooted six ways to Sunday. Wasn't the UNIX-y nature of OSX supposed to keep users in a sandbox? How hard is it for a regular user to root the system? I did some googling, and it turns out that, for Jaguar (which my box was running) it's almost trivially easy. Every user, even non-admins, can view the shortnames and password hashes for every account on the system, using "nidump". Once you have the admin hash, it's just a matter of downloading a hash-cracking program and going at it. I downloaded what seemed like the most popular one, and cracked my admin password hash in 2 minutes and 44 seconds. Less than three minutes from user to root, hardly breaking a sweat.
Oh shit.
So the IT security guys have taken the drive out to do forensics. They actually seemed tickled to have an excuse to learn about OSX. One of them even borrowed my copy of "OSX Unleashed". One of the bright spots of the whole thing was having the chance to watch real hard-core UNIX geeks at work. Damn was that cool. Lession one is that UNIX geeks rock.
Lesson two, which should have been obvious, is NEVER NEVER NEVER use a trivial password for any user account. Lesson three is UPGRADE TO PANTHER. Panther plugs this gaping security hole, by shadowing password hases. Only sudo/root can see the bare hashes, and if you're already sudo/root, who cares?
I hope someone can learn something from my humbling experince. All the goodness of OSX can't save a computer from the stupdity of its administrator, and even OSX has its warts.
Comments
It seems that the moral of the story is the value of shadowed passwords! Thank god this is already fixed.
And never forget about social engineering schemes. If I randomly showed up in your department with a badge or called the right person, I'm sure they'd tell me their password. Look confident and on-the-ball and people will believe/ignore you everywhere! This way you can get access and no hacking was needed!
Obviously, passwords like root/123, root/root, guest/guest, dave/dave etc are never to be used.
Admin/admin is followed closely by admin/god and admin/apple in many macs.
Some via social engineering, some by tradition and some from prior lists.
Fark reports 40% of Americans use '1234' as their ATM pin.
included in the fark page (grain of salt) are additional lists of 'most popular passwords'
The most used passwords (taken from a list of 396,000 users) are:
password
123456
12345678
12345
1234
qwerty
POKEMON
123456789
hello
123
dragon
49ers
cool
computer
master
justin
angel
vegeta
monkey
whatever
LOVE
pikachu
soccer
asdf
eminem
trustno1
111111
letmein
internet
daniel
abc123
princess
cheese
It wouldn't surprise if mac geeks also use the machine codename, Steve, Jobs, or Woz as PW
Thinking differently, you know.
Oh, the irony.