Who is trying to login to my OSX laptop?
December 27, 2006 7:41 PM   Subscribe

OSX Security: I followed the instructions on this MacOSXhints article to setup my shiny new MacBook Pro to take a picture using the built-in iSight whenever there's a failed authentication attempt. I've noticed that every night at 9:53, there are multiple failed login attempts, but it's while I'm using the computer, so I end up with pictures of me.

Take a gander at this log (/var/log/asl.log). The following repeats, substituting one of many usernames for "webmaster":

[Time 2006.12.28 02:53:50 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user webmaster.] [Level 3] [UID -2] [GID -2] [Host msca-cghota-mbp17]
[Time 2006.12.28 02:53:50 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.] [Level 5] [UID -2] [GID -2] [Host msca-cghota-mbp17]

At first I thought it was a network-based attack; however, tonight I did this while not joined to the network. The accounts scanned include: admin, ftp, ftpuser, guestuser, root, test (x12), testuser (x2), user (x4), webadmin, and webmaster.

What is going on!? If nothing else, how can I get more information about tracking this down? I'm a switcher (an MCSE from the Windows world, actually), so I'm a bit out of my depth.
posted by chota to Computers & Internet (16 answers total) 3 users marked this as a favorite
Sounds like you may have a ssh brute-force trojan on another computer on your LAN.

When you say you weren't joined to the network, was this due to you not being physically wired to an ethernet cable, or because Airport was off?
posted by tomierna at 8:44 PM on December 27, 2006

Response by poster: Both. I turned airport off, and was not connected via a cable.

Although, I turned off airport after the first one started (I noticed the green light on the iSight blinking). But, they still kept coming. Does this point to a trojan on my local system?

Also, I know there probably is, but does a log for sshd exist, listing what incoming connections were made?
posted by chota at 9:41 PM on December 27, 2006

Response by poster: Also, I clicked on your profile because I noticed a three-digit user ID, and noticed that we're physically about 2 miles apart, I think. I'm visiting my mom here in Tampa for the holidays. Howdy!
posted by chota at 9:43 PM on December 27, 2006

Response by poster: Update: I followed the steps in another MacOSXhints article to Enable logging of sshd to /var/log/system.log (why the heck apple would disable it in the first place is beyond me) and have verified that it's working (at least, I ssh'd to localhost from the terminal, send a wrong, then the right password, and this is what I got:

Dec 28 00:58:16 msca-cghota-mbp17 sshd[5754]: error: PAM: Authentication failure for cghota from localhost
Dec 28 00:58:23 msca-cghota-mbp17 sshd[5754]: Accepted keyboard-interactive/pam for cghota from ::1 port 60282 ssh2

Kind of weird that it uses a named host for auth failure, but my IPv6 address (right?) for success.

Anything else anyone can think of? Do I just wait till tomorrow night and see where the login attempts come from?

posted by chota at 10:03 PM on December 27, 2006

I think your best bet is going to be to wait and see where the attempts are coming from. If they're local and always occur at the exact same time -- down to the second -- then my guess is that it might be something more benign than a trojan; maybe some sort of daemon or cron job that's not doing what it's supposed to. But this is definitely interesting enough to warrant investigation. To the best of my knowledge, there are not any OS X trojans "in the wild" that do this sort of thing, though that doesn't mean it's impossible.
posted by Kadin2048 at 10:07 PM on December 27, 2006

Same time every day? Try running your cron tasks and see if anything pops up (sudo periodic daily).
posted by yesno at 10:12 PM on December 27, 2006

Response by poster: "sudo periodic daily" did nothing (that I noticed), at least, it didn't start capturing pics.
posted by chota at 10:39 PM on December 27, 2006

Have you rebooted the machine since you noticed this happening? If so, does it still happen at the same time?

Basically, is the timing absolute, or relative to boot? If it's relative to boot time, my guess would be some sort of house-keeping task that's sitting in the background on the machine. It doesn't necessarily have to be a cron task, so yesno's suggestion may not work.
posted by veedubya at 2:13 AM on December 28, 2006

Waves hello at chota!

It certainly is puzzling that there is something attempting ssh logins without a network connection.

Like others, I suspect something local to the machine, nefarious or otherwise.

I'm interested in hearing if it happens again.
posted by tomierna at 7:16 AM on December 28, 2006

Response by poster: I never thought about reboot times. I'm going to reboot now; 12:30 eastern.

*crosses fingers*

What's the quickest way to dump a list of every process running on the machine from the terminal? I'm thinking I'll disconnect from any network, then run sudo ps aux > ~/Desktop/procs.txt as it's happening. Sound good? Should I enable "Secure keyboard entry" in Terminal?
posted by chota at 9:32 AM on December 28, 2006

If you're trojaned, you might not want to run sudo. Is there really any reason to run as the super user just to print out the list of processes, for instance?
posted by ikkyu2 at 10:48 AM on December 28, 2006

'ps' will run fine without sudo. I usually use 'ps augxww': 'a' gets every user's processes; 'g' and 'x' include some daemons and normally-hidden processes; 'u' includes some more columns of info, and 'ww' means not to limit the output to 80 columns (which is handy since OS X has lots of long filenames).

You could also try running fseventer while the odd activity is taking place, which might point you towards particular files.
posted by hattifattener at 11:49 AM on December 28, 2006

Response by poster: I was thinking of running sudo for ps because, if I was writing a trojan, the first thing I would do would be to change my user's local path to point to patched versions of "which" and "ps". Or does it not work like that?

thanks hattifattener, for the tips on the ps ww switch and fseventer; will definitely use those.

Check back in about 6 hours for the a) startling conclusion, or b) continuing mystery!

Thanks, everyone!
posted by chota at 1:11 PM on December 28, 2006

If you suspect a local compromise on a Mac, your first action should be to download & run both chrootkit & OSX Rootkit Hunter.
posted by scalefree at 2:16 PM on December 28, 2006

I was thinking of running sudo for ps because, if I was writing a trojan, the first thing I would do would be to change my user's local path to point to patched versions of "which" and "ps". Or does it not work like that?

sudo does a little checking for spoofing in the current directory (man sudo for details), but probably not enough. sudo -i may get you closer to what you want.

But if an attacker is going to trojan "ps", why wouldn't they also trojan "sudo" to capture the password you enter and turn their compromise of your user account into a compromise of the root account?
posted by aneel at 7:02 PM on December 29, 2006

Response by poster: Okie dokie!

Found out that, due to legacy settings on my mom's router, I was in the DMZ, and was the subject of a portscan. They probably saw that ssh was open and tried it as a vector for attact.

Script kiddies. Bah, humbug!
posted by chota at 7:07 PM on December 29, 2006

« Older How do I get softer jello shots?   |   Why isn't ONE of my emails working? Newer »
This thread is closed to new comments.