Possible Mac exploit/issue?

[Lowe]

Hi all,

As you probably all know I run a network of macs of varying specs - but they all run Tiger, and they all have two accounts - one as an admin (my account) and a general user account (students). Now over the last couple of months, I've noticed a few of them exhibit a very odd behaviour. When trying to log in as the user, it refuses to accept the password, even if you're 100% sure that you're typing it in correctly. After a few attempts it will flash up the hint - even then, it won't let you log in. The only way I've found to sort this is to log in as admin, reset the user password and then all is hunky dory. I posted this up on the Apple forums, and no-one really had any ideas as to what might be causing this, so I turned a blind eye to it.

Anyhoo, over the weekend my network manager paid me a visit. 5 of my machines had been behaving a little odd on the network - and between them in 24 hours had uploaded 5 gig of data to an IP address in Romania on a couple of occasions. Now unfortunately I've been unable to trace exactly what was sent, and by what program. Nothing has been installed on the machines (user accounts don't have admin rights, nor do the logs show anything up) so I'm at a loss as to what this could be. The network manager has requested that the suite is removed from the network until I can find out what is wrong, so I'm stuck. I've tried ClamXAV and that's come back clean so if there is a malicious bit of code floating about, no-one knows about it - yet...

Any thoughts/help graciously received.

[menthel]

Is it anything to do with thetrojan that has been released out into the open?

Slashdot | Fake Codec is Mac OS X Trojan

[Lowe]

Nah, nothing to do with that, since you'd need to install something on the machines - and that aint happening without my password which is secure...

Also ClamXAV would find it on running a scan.

[menthel]

Not a clue then! Sounds very suspicious with such a large upload to Romania...

[dave87]

Have you got an image of the hard disk for restore purposes? I'd say try restoring them and see if they exhibit the same behaviour?

(Not perfect, and won't tell you what is causing it, but should hopefully fix the issue)

[charleski]

That trojan requires admin credentials to install.

I'd advise you to take a look at the security logs (open Console and take a look through secure.log under the /var/logs heading) to make sure that someone hasn't compromised your admin password. The behaviour you mention with the password sounds fishy.

Otherwise, what port was being used to send the data from your macs? An ordinary user could easily send out a massive amount of data simply by using a web browser if they wanted to.

I'm a firm believer in using Little Snitch to control any outgoing traffic, you might want to look into that. Again, that wouldn't block voluntary uploads using a browser.

Personally, I'd format and re-install everything to be on the safe side.

[Gordy]

I would install little snitch on the machines and see what's going out of the system.

I've not heard of any exploit at present, and anything discovered would be big news. I would suspect something else is causing this, but its impossible to say.

I would also make sure nothing is installed on the server side on each of them say an unpatch php setup or similiar.

Certainly sounds odd lowe

[Lowe]

I very much doubt it's a user uploading stuff since the machines are only doing this in 'unusual' hours. I'm talking near enough midnight on weekends. The really odd part is I'm talking about a secured building here, at least 4 locked internal doors to get through before you're anywhere near the machines assuming you could get into the building.

There's nothing in the logs whatsoever that looks fishy. Unfortunately I didn't have the firewall logging stuff, nor do I have a generic image that I can chuck back on. Even worse the network manager is pretty unhappy to allow the machines back onto the network until the issue is identified - which is annoying since I can't work out what's happening until it happens again!

Still, a heads up to everyone none the less, and if it is news - you heard it here first

[charleski]

At a minimum, ask your network manager to give you the logs of the offending transfers. The pattern of transfers can help a lot (ports used, was it just one IP or different ones, were the transfers in large chunks or scattered, etc etc). If he doesn't have decent logs you can do some eyebrow-twiddling .

[Lowe]

Found the problem in the security logs - looks like we've being suffering brute force attacks since the start of October, and eventually they got in.

Looks like no code has been uploaded (nothing obvious anyway) so a beefing up of the passwords and account names is needed I think!

[Gordy]

I would look to beefing up the firewall situation as well. Certainly if you can block the ip address to slow them down would be a start.

I would do a reinstall on the machines as well just to be sure nothing that got uploaded is still on the machines. I take it they were fully patched tiger machines?

[Lowe]

Yeah fully patched Tiger machines. No unusual code/files are present and they only logged into the student accounts - they couldn't of installed anything without an admin account and luckily they didn't get that. They must have cleared up after themselves to be careful not to alert us, clever whatsits.

Still all's well that ends well - just put some new measures in place.

[Gordy]

Good that it was caught before anything too damaging was done

[ikonia]

do you have a romainian user in your class ?

seriously.....

[Lowe]

Not as far as I'm aware - and it's obvious the from the logs that it was random attempts to get in. Funny how they knew the IPs, but still.. A student would have known how to log in with ease.