Comments on: Who is trying to login to my OSX laptop?

Question: Who is trying to login to my OSX laptop?

chota — Wed, 27 Dec 2006 19:41:16 -0800

OSX Security: I followed the instructions on this MacOSXhints article to setup my shiny new MacBook Pro to take a picture using the built-in iSight whenever there's a failed authentication attempt. I've noticed that every night at 9:53, there are multiple failed login attempts, but it's while I'm using the computer, so I end up with pictures of me.

Take a gander at this log (/var/log/asl.log). The following repeats, substituting one of many usernames for "webmaster":



[Time 2006.12.28 02:53:50 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user webmaster.] [Level 3] [UID -2] [GID -2] [Host msca-cghota-mbp17]

[Time 2006.12.28 02:53:50 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.] [Level 5] [UID -2] [GID -2] [Host msca-cghota-mbp17]

At first I thought it was a network-based attack; however, tonight I did this while not joined to the network. The accounts scanned include: admin, ftp, ftpuser, guestuser, root, test (x12), testuser (x2), user (x4), webadmin, and webmaster.

What is going on!? If nothing else, how can I get more information about tracking this down? I'm a switcher (an MCSE from the Windows world, actually), so I'm a bit out of my depth.

By: tomierna

tomierna — Wed, 27 Dec 2006 20:44:13 -0800

Sounds like you may have a ssh brute-force trojan on another computer on your LAN.

When you say you weren't joined to the network, was this due to you not being physically wired to an ethernet cable, or because Airport was off?

By: chota

chota — Wed, 27 Dec 2006 21:41:46 -0800

Both. I turned airport off, and was not connected via a cable.

Although, I turned off airport after the first one started (I noticed the green light on the iSight blinking). But, they still kept coming. Does this point to a trojan on my local system?

Also, I know there probably is, but does a log for sshd exist, listing what incoming connections were made?

By: chota

chota — Wed, 27 Dec 2006 21:43:50 -0800

Also, I clicked on your profile because I noticed a three-digit user ID, and noticed that we're physically about 2 miles apart, I think. I'm visiting my mom here in Tampa for the holidays. Howdy!

By: chota

chota — Wed, 27 Dec 2006 22:03:08 -0800

Update: I followed the steps in another MacOSXhints article to Enable logging of sshd to /var/log/system.log (why the heck apple would disable it in the first place is beyond me) and have verified that it's working (at least, I ssh'd to localhost from the terminal, send a wrong, then the right password, and this is what I got:

Dec 28 00:58:16 msca-cghota-mbp17 sshd[5754]: error: PAM: Authentication failure for cghota from localhost

Dec 28 00:58:23 msca-cghota-mbp17 sshd[5754]: Accepted keyboard-interactive/pam for cghota from ::1 port 60282 ssh2

Kind of weird that it uses a named host for auth failure, but my IPv6 address (right?) for success.

Anything else anyone can think of? Do I just wait till tomorrow night and see where the login attempts come from?

Thanks!

By: Kadin2048

Kadin2048 — Wed, 27 Dec 2006 22:07:57 -0800

I think your best bet is going to be to wait and see where the attempts are coming from. If they're local and always occur at the exact same time -- down to the second -- then my guess is that it might be something more benign than a trojan; maybe some sort of daemon or cron job that's not doing what it's supposed to. But this is definitely interesting enough to warrant investigation. To the best of my knowledge, there are not any OS X trojans "in the wild" that do this sort of thing, though that doesn't mean it's impossible.

By: yesno

yesno — Wed, 27 Dec 2006 22:12:36 -0800

Same time every day? Try running your cron tasks and see if anything pops up (sudo periodic daily).

By: chota

chota — Wed, 27 Dec 2006 22:39:39 -0800

"sudo periodic daily" did nothing (that I noticed), at least, it didn't start capturing pics.

By: veedubya

veedubya — Thu, 28 Dec 2006 02:13:09 -0800

Have you rebooted the machine since you noticed this happening? If so, does it still happen at the same time?

Basically, is the timing absolute, or relative to boot? If it's relative to boot time, my guess would be some sort of house-keeping task that's sitting in the background on the machine. It doesn't necessarily have to be a cron task, so yesno's suggestion may not work.

By: tomierna

tomierna — Thu, 28 Dec 2006 07:16:03 -0800

Waves hello at chota!

It certainly is puzzling that there is something attempting ssh logins without a network connection.

Like others, I suspect something local to the machine, nefarious or otherwise.

I'm interested in hearing if it happens again.

By: chota

chota — Thu, 28 Dec 2006 09:32:10 -0800

I never thought about reboot times. I'm going to reboot now; 12:30 eastern.

*crosses fingers*

What's the quickest way to dump a list of every process running on the machine from the terminal? I'm thinking I'll disconnect from any network, then run sudo ps aux > ~/Desktop/procs.txt as it's happening. Sound good? Should I enable "Secure keyboard entry" in Terminal?

By: ikkyu2

ikkyu2 — Thu, 28 Dec 2006 10:48:46 -0800

If you're trojaned, you might not want to run sudo. Is there really any reason to run as the super user just to print out the list of processes, for instance?

By: hattifattener

hattifattener — Thu, 28 Dec 2006 11:49:47 -0800

'ps' will run fine without sudo. I usually use 'ps augxww': 'a' gets every user's processes; 'g' and 'x' include some daemons and normally-hidden processes; 'u' includes some more columns of info, and 'ww' means not to limit the output to 80 columns (which is handy since OS X has lots of long filenames).

You could also try running fseventer while the odd activity is taking place, which might point you towards particular files.

By: chota

chota — Thu, 28 Dec 2006 13:11:32 -0800

I was thinking of running sudo for ps because, if I was writing a trojan, the first thing I would do would be to change my user's local path to point to patched versions of "which" and "ps". Or does it not work like that?

thanks hattifattener, for the tips on the ps ww switch and fseventer; will definitely use those.

Check back in about 6 hours for the a) startling conclusion, or b) continuing mystery!

Thanks, everyone!

By: scalefree

scalefree — Thu, 28 Dec 2006 14:16:10 -0800

If you suspect a local compromise on a Mac, your first action should be to download & run both chrootkit & OSX Rootkit Hunter.

By: aneel

aneel — Fri, 29 Dec 2006 19:02:21 -0800

I was thinking of running sudo for ps because, if I was writing a trojan, the first thing I would do would be to change my user's local path to point to patched versions of "which" and "ps". Or does it not work like that?

sudo does a little checking for spoofing in the current directory (man sudo for details), but probably not enough. sudo -i may get you closer to what you want.

But if an attacker is going to trojan "ps", why wouldn't they also trojan "sudo" to capture the password you enter and turn their compromise of your user account into a compromise of the root account?

By: chota

chota — Fri, 29 Dec 2006 19:07:09 -0800

Okie dokie!

Found out that, due to legacy settings on my mom's router, I was in the DMZ, and was the subject of a portscan. They probably saw that ssh was open and tried it as a vector for attact.

Script kiddies. Bah, humbug!