Server Break-in

Hacked


I had fun picking apart a breakin last week. This happened at the beginning of March using the imaginative user/pass combination of scanner/scanner through to the sshd port on a 10.4 PPC XServe.
Access to the machine was first achieved on March 3. On March 21 a directory was created in /var/spool/samba called .kde which comprised of a command and control application that connected to a series of IRC servers to enable to hacker to control the machine to send out spam. A crontab for the user scanner was setup
* * * * * /var/spool/samba/.kde/update >/dev/null 2>&1
This ran the update script which then in turn ran the run script which then ran the executable –bash (note the preceding hyphen) found in /var/spool/samba/.kde/
Just killing the process did nothing because the crontab kept kicking it back off again.
The preceding hyphen made it quite difficult to search for this via the command line as it kept thinking I wanted to apply the switches bash to the command. This is a PPC executable which surprised me as I thought it would be a shell script.
Via the command and control interface a program was created in /var/spool/samba/send which sent out virus laden email messages.
I recommend making sure that port 22 is accessible to sshd from the internet. Further information can be found here…
http://www.macosxhints.com/article.php?story=20050707140439980
It is worth restricting the users able to access sshd via either the AllowUsers directive in /etc/sshd_config or via the restricted services section of Server Admin. Above all please make sure that the root user is not enabled for sshd access and that any users that are setup have c0mpl1c4t£d p4$$w0rds. I prefer using usernames like adm1n or adm1nist4t0r rather than plain old admin. Public/Private keys should be setup. The almighty Bombich has a brilliant writeup as part of his rsync tutorial.
http://www.bombich.com/mactips/rsync.html
I believe everything on the server is now cleared up.
Chris