Locks are changed. Now: is anything missing?
November 17, 2011 9:24 AM Subscribe
So despite being fairly knowledgeable about these sorts of things, I put on my own little "worst practices in computer security" seminar with my Mac Mini HTPC. And, surprise of surprises, it was compromised. Help me figure out if I've reversed the damage, won't you?
This is embarrassing, but here's the sequence of events whereby my Mac Mini (running Lion) got less and less secure, and eventually compromised:
Initially set up a standard (non-admin) account to watch movies/TV from, with a weak password. (Even more embarrassing: same as the short name for the account.) Also set up admin accounts for me and my wife, and enabled root access (all strong passwords).
For some reason (and I really do feel like it was a good one at the time, but can't remember) I gave the Media Center admin access. Naturally (sigh) I didn't change the password.
Yesterday I realized I couldn't log in to the Media account via VNC (which I only do on occasion and almost exclusively into that account). This morning I plugged in a keyboard and tried to authenticate... and the password was wrong. Wife didn't change it. Also noticed moderate outgoing traffic that I couldn't account for, as well as less free disk space than I remembered. I logged in as root (no, not over VNC) and reset the password to be stronger. Also took away admin access.
So the question is: is there a good way to make sure I'm now protected? Is there a good way to identify and clear out any changes (other than the password change) that might have been made by nefarious parties? I'm planning to run WhatSize to see if I can find ~20 GB or so of crap that I can't mentally account for. I don't have Time Machine running on this computer (use manual rsyncs to an external HD instead).
Bonus question: Is there an easy way to secure my VNC access? I use it Mac-to-Mac as well as from my iPhone with iTeleport.
This is embarrassing, but here's the sequence of events whereby my Mac Mini (running Lion) got less and less secure, and eventually compromised:
Initially set up a standard (non-admin) account to watch movies/TV from, with a weak password. (Even more embarrassing: same as the short name for the account.) Also set up admin accounts for me and my wife, and enabled root access (all strong passwords).
For some reason (and I really do feel like it was a good one at the time, but can't remember) I gave the Media Center admin access. Naturally (sigh) I didn't change the password.
Yesterday I realized I couldn't log in to the Media account via VNC (which I only do on occasion and almost exclusively into that account). This morning I plugged in a keyboard and tried to authenticate... and the password was wrong. Wife didn't change it. Also noticed moderate outgoing traffic that I couldn't account for, as well as less free disk space than I remembered. I logged in as root (no, not over VNC) and reset the password to be stronger. Also took away admin access.
So the question is: is there a good way to make sure I'm now protected? Is there a good way to identify and clear out any changes (other than the password change) that might have been made by nefarious parties? I'm planning to run WhatSize to see if I can find ~20 GB or so of crap that I can't mentally account for. I don't have Time Machine running on this computer (use manual rsyncs to an external HD instead).
Bonus question: Is there an easy way to secure my VNC access? I use it Mac-to-Mac as well as from my iPhone with iTeleport.
Response by poster: Not opposed to doing that (at least in principle), especially since all my media and photos are already backed up, but it would be a giant PITA.
What sort of things would that eliminate that I couldn't do otherwise with a little detective work? I mean, it's a Unix-based system that appears to be running fine at the moment. (Naïve, I know...)
posted by supercres at 9:40 AM on November 17, 2011
What sort of things would that eliminate that I couldn't do otherwise with a little detective work? I mean, it's a Unix-based system that appears to be running fine at the moment. (Naïve, I know...)
posted by supercres at 9:40 AM on November 17, 2011
Best answer: I really hate to say it, but once you're compromised, you're compromised. If you don't do this stuff all the time, chances are you just don't have the forensic tools/know-how to be as good at fixing this as a script kiddie is at breaking in, and even if you're mostly sure it's fixed... well. You won't actually be certain, will you?
It's time for the big red Reinstall button, and there's no real way around it (well, not without paying more than you want for a Unix-savvy security expert.)
As for securing VNC, SSH tunneling does the trick nicely. I don't know if iTeleport plays nicely with that, but it certainly ought to; naked VNC is very insecure and real-world usage almost always tunnels through SSH, or is used in environments with a closed secure network (physical or VPN).
posted by Tomorrowful at 9:52 AM on November 17, 2011 [1 favorite]
It's time for the big red Reinstall button, and there's no real way around it (well, not without paying more than you want for a Unix-savvy security expert.)
As for securing VNC, SSH tunneling does the trick nicely. I don't know if iTeleport plays nicely with that, but it certainly ought to; naked VNC is very insecure and real-world usage almost always tunnels through SSH, or is used in environments with a closed secure network (physical or VPN).
posted by Tomorrowful at 9:52 AM on November 17, 2011 [1 favorite]
Agreed, nuke from orbit. If the attacker installed a root kit then you cannot trust anything on the system.
This stuff is not fun, re-install, and spend the hours that you would have spent on this on something that you enjoy doing.
posted by bdc34 at 9:58 AM on November 17, 2011
This stuff is not fun, re-install, and spend the hours that you would have spent on this on something that you enjoy doing.
posted by bdc34 at 9:58 AM on November 17, 2011
Response by poster: Okay. Nuke it is. Creating the recovery/reinstall drive now.
My external drive has been connected this whole time. Contains about a TB of media and photo library backups. I'm still ok transferring those back to my machine once it's clean, right? (I figure this is the case, but since I was wrong about everything else, might as well check.)
posted by supercres at 10:08 AM on November 17, 2011
My external drive has been connected this whole time. Contains about a TB of media and photo library backups. I'm still ok transferring those back to my machine once it's clean, right? (I figure this is the case, but since I was wrong about everything else, might as well check.)
posted by supercres at 10:08 AM on November 17, 2011
Best answer: This is also compounded with OSX still being fresh territory for post-compromise forensic analysis. You won't find nearly as many tools and sources of information that you would find for Windows. Yes it is a *nix system built originally on top of netBSD so you have those resources available. But OSX has evolved enough that it can present a plethora of new and rarely documented areas where a compromise or back door can occur.
If you're still interested in cleaning out or crippling the existing compromise, you'll want to do several things:
- Get reports on files that were created or modified during the time of the compromise (sure these can be spoofed, but most script kiddies are lazy in this area)
- Watch running processes closely, and monitor network traffic. You may want to go as far as monitor traffic from another device on your network just to rule out any rootkits. If you can get a cheap linux box running running snort+snorby, that could be very helpful.
- Fix permissions wherever applicable to prevent any file permission vulnerabilities. (of course don't get into the habit of running as an admin by default)
- If your router is capable, configure it to watch out for/block sessions that appear to be reverse tunneling. Also close off any port mapping you have going from the external to internal adapter (these mappings allow direct access to ports on the mac). Disable uPnP to ensure ports aren't being opened on the fly.
Hope that helps. I'm not nearly as OSX savvy as I am Linux/Windows...but the principles are roughly the same (without having knowledge of the tools available....Disk Inventory X looks like a windirstat clone that could also be helpful in identifying the 20gb. In most cases, *nix computers are compromised to simply become warez servers. You'll want to find and delete whatever's there asap as you also run the risk of hosting material that is illegal even moreso (eg. child porn, stolen credentials/credit card data, etc).
posted by samsara at 10:13 AM on November 17, 2011
If you're still interested in cleaning out or crippling the existing compromise, you'll want to do several things:
- Get reports on files that were created or modified during the time of the compromise (sure these can be spoofed, but most script kiddies are lazy in this area)
- Watch running processes closely, and monitor network traffic. You may want to go as far as monitor traffic from another device on your network just to rule out any rootkits. If you can get a cheap linux box running running snort+snorby, that could be very helpful.
- Fix permissions wherever applicable to prevent any file permission vulnerabilities. (of course don't get into the habit of running as an admin by default)
- If your router is capable, configure it to watch out for/block sessions that appear to be reverse tunneling. Also close off any port mapping you have going from the external to internal adapter (these mappings allow direct access to ports on the mac). Disable uPnP to ensure ports aren't being opened on the fly.
Hope that helps. I'm not nearly as OSX savvy as I am Linux/Windows...but the principles are roughly the same (without having knowledge of the tools available....Disk Inventory X looks like a windirstat clone that could also be helpful in identifying the 20gb. In most cases, *nix computers are compromised to simply become warez servers. You'll want to find and delete whatever's there asap as you also run the risk of hosting material that is illegal even moreso (eg. child porn, stolen credentials/credit card data, etc).
posted by samsara at 10:13 AM on November 17, 2011
When in doubt, wipe and reinstall, but here's my question- does your Mac accept incoming requests from outside the firewall? If not, I doubt you've been compromised via a hacked password if all you're using it for is consuming media (e.g. you're not installing additional software).
It's possible you misremembered your password. Also, this:
supercres: "Also noticed moderate outgoing traffic that I couldn't account for, as well as less free disk space than I remembered."
has many possible explanations aside from being hacked. On an HTPC, especially, it's doing a lot of "background" work. Something as simple as content subscriptions would account for that.
posted by mkultra at 10:50 AM on November 17, 2011
It's possible you misremembered your password. Also, this:
supercres: "Also noticed moderate outgoing traffic that I couldn't account for, as well as less free disk space than I remembered."
has many possible explanations aside from being hacked. On an HTPC, especially, it's doing a lot of "background" work. Something as simple as content subscriptions would account for that.
posted by mkultra at 10:50 AM on November 17, 2011
Response by poster: Thanks, all, for the help. I can safely say that I didn't forget my password, but beyond that, I'm a bit at a loss. Computer is off waiting for me to get home and wipe. This would be a bad time for a catastrophic HD failure, eh?
One question: given that root seemingly wasn't compromised, is information from the other accounts safe? That would include keychain information and account passwords. I didn't do any banking on that computer or anything, but my e-mail address password is stored there, as is my Apple ID info.
posted by supercres at 12:40 PM on November 17, 2011
One question: given that root seemingly wasn't compromised, is information from the other accounts safe? That would include keychain information and account passwords. I didn't do any banking on that computer or anything, but my e-mail address password is stored there, as is my Apple ID info.
posted by supercres at 12:40 PM on November 17, 2011
It seems a little unlikely that your computer has actually been "compromised." If you're absolutely positive that you didn't forget the password, is it possible that you left caps lock on? Num lock?
posted by The Lamplighter at 1:03 PM on November 17, 2011
posted by The Lamplighter at 1:03 PM on November 17, 2011
Response by poster: It seems a little unlikely that your computer has actually been "compromised."
Can you elaborate on why exactly that's unlikely? I appreciate the answer and the optimism, but passwords saved elsewhere stopped working, in addition to not being able to authenticate using my phone as a keyboard (MobileMouse) or, when that failed, a regular USB keyboard.
The only confirmed symptom is that one of the admin accounts had its (weak) password changed, but I'm certain that is a real symptom.
At this point, unless anyone has other ideas, I don't see a plausible enough alternate explanations to not wipe and clean install.
posted by supercres at 1:14 PM on November 17, 2011
Can you elaborate on why exactly that's unlikely? I appreciate the answer and the optimism, but passwords saved elsewhere stopped working, in addition to not being able to authenticate using my phone as a keyboard (MobileMouse) or, when that failed, a regular USB keyboard.
The only confirmed symptom is that one of the admin accounts had its (weak) password changed, but I'm certain that is a real symptom.
At this point, unless anyone has other ideas, I don't see a plausible enough alternate explanations to not wipe and clean install.
posted by supercres at 1:14 PM on November 17, 2011
supercres: "Can you elaborate on why exactly that's unlikely?"
Unless your Mac is accessible outside your firewall, it's really hard to attack it directly. It can be done, but "supercres's HTPC" isn't a target worth anyone's while. If you use open WiFi, that's a possible direct attack vector- if your username/pw is guessable by someone who knows you, it may be a neighbor fucking with you.
Beyond that, you're basically looking at two possibilities: malware or service exploits. The Mac malware universe is extremely small, and if you're not installing software you're almost-guaranteed safe from that. It's possible that some crazy exploit in Flash or Silverlight (if you use Netflix, Hulu, or some other streaming service) was used to do this, but I think a known exploit like that would draw more attention.
posted by mkultra at 1:32 PM on November 17, 2011
Unless your Mac is accessible outside your firewall, it's really hard to attack it directly. It can be done, but "supercres's HTPC" isn't a target worth anyone's while. If you use open WiFi, that's a possible direct attack vector- if your username/pw is guessable by someone who knows you, it may be a neighbor fucking with you.
Beyond that, you're basically looking at two possibilities: malware or service exploits. The Mac malware universe is extremely small, and if you're not installing software you're almost-guaranteed safe from that. It's possible that some crazy exploit in Flash or Silverlight (if you use Netflix, Hulu, or some other streaming service) was used to do this, but I think a known exploit like that would draw more attention.
posted by mkultra at 1:32 PM on November 17, 2011
Best answer: It looks like the iTeleport installer automatically opens up port 22 and possibly 5900 using UPnP. So it is accessible, and while "supercres's HTPC" may not be an especially juicy target, "random machine running sshd with weak passwords" is more than enough for an automated scanner to go on.
It might be worth your time to google the IPs your Mac is connecting to and find out what botnet it's been inducted into. There's a chance it could be a really easy-to-clean one.
Depending on how paranoid this has made you, you can shut off UPnP, move sshd to a non-standard port, lock down your media account, change the password to something humongous since the software is remembering it for you anyway, change the login shell to something harmless (or better yet Kippo), run your VNC server inside chroot, and set up internal firewalls so the HTPC can't attack your other machines even if it's compromised again. I'd recommend the first three or four.
posted by marakesh at 8:01 PM on November 17, 2011 [2 favorites]
It might be worth your time to google the IPs your Mac is connecting to and find out what botnet it's been inducted into. There's a chance it could be a really easy-to-clean one.
Depending on how paranoid this has made you, you can shut off UPnP, move sshd to a non-standard port, lock down your media account, change the password to something humongous since the software is remembering it for you anyway, change the login shell to something harmless (or better yet Kippo), run your VNC server inside chroot, and set up internal firewalls so the HTPC can't attack your other machines even if it's compromised again. I'd recommend the first three or four.
posted by marakesh at 8:01 PM on November 17, 2011 [2 favorites]
Response by poster: Well, for what it's worth, SSH is definitely forwarded through the router firewall to my HTPC, and I use a free DNS service.
On the topic of VNC, Lion started using user authentication to share the screen rather than a VNC password. iTeleport uses it as well. That allows me to turn off access for VNC viewers. I'll have to do some research, but I'm not especially hopeful that the connection is any more secure. At least I know Apple wouldn't send my username and password unprotected... right?
Machine is wiped and back running. Regular media center user is non-admin and has a moderate password. Admin user has a strong password. Turned of NAT-PMP (Airport Extreme router). Feel better at least, and hey-- lots more hard drive space clearing out the junk.
posted by supercres at 9:19 PM on November 17, 2011
On the topic of VNC, Lion started using user authentication to share the screen rather than a VNC password. iTeleport uses it as well. That allows me to turn off access for VNC viewers. I'll have to do some research, but I'm not especially hopeful that the connection is any more secure. At least I know Apple wouldn't send my username and password unprotected... right?
Machine is wiped and back running. Regular media center user is non-admin and has a moderate password. Admin user has a strong password. Turned of NAT-PMP (Airport Extreme router). Feel better at least, and hey-- lots more hard drive space clearing out the junk.
posted by supercres at 9:19 PM on November 17, 2011
Response by poster: Well how about that. In the Screen Sharing app's preferences, there is indeed an option to encrypt all network traffic. By default, only keystrokes and passwords are encrypted. So I'm covered there, at least.
posted by supercres at 9:23 PM on November 17, 2011
posted by supercres at 9:23 PM on November 17, 2011
Best answer: If possible, configure your router's firewall to restrict source IPs that can remotely SSH (if you're using that while abroad and know the ranges you'll be connecting from). Or if unused, turn off as many of these remote capabilities as you can that would be visible to the world outside. Even though they're password protected, having them usable to any source IP means you stand a substantial risk in having an unpatched service where a password would not be necessary to gain access.
posted by samsara at 6:44 AM on November 18, 2011
posted by samsara at 6:44 AM on November 18, 2011
This thread is closed to new comments.
Time to wipe it and reinstall the OS from scratch.
posted by Chocolate Pickle at 9:29 AM on November 17, 2011 [2 favorites]