Electronics & Computers Deals here!
Spyware, viruses, & security : Hacked using remote VNC/tunnel/change of ownership rights.
Hacked using remote VNC/tunnel/change of ownership rights.
by adust1980 - 8/16/08 9:32 PMI hope I'm using the correct forum...if not I apologize.
Using 10.5.2 on a wireless network I've been noticing strange activity through console recently and am now positive someone has been accessing my computer via a tunnel or vnc. I can't say I know much regarding either of these but I have saved the logs themselves. Recently I performed a clean install but I am getting the same type of ownership/wireless issues from a remote computer using vista. Ive monitored the remote install and observation via console and network utility.
Upon clean install it appears to me...although these could be seperate issues...there is a partition on my HD that I can not delete or modify. Therefore this remote user has ownership rights and any future install is vulnerable to the same attack. Could someone point me in the right direction? Or tell me what information is useful or worth taking a look at? So far Ive been trying to log as much as possible just in case.
Thank you so much.
Sure About That Partition?? Many OE Makers...
by tobeach - 8/16/08 11:00 PM In reply to: Hacked using remote VNC/tunnel/change of ownership rights. by adust1980have taken to not including a OS disk w/ new machines...instead putting a back-up copy of OS on separate partition which can be copied to create disk & can be ONLY accessed via current OS for restore purposes.
Beyond this I can't offer more. Good Luck. 
Unauthorized remote access/User help
by adust1980 - 8/16/08 11:35 PM In reply to: Sure About That Partition?? Many OE Makers... by tobeachI backed up only audio files and few important documents on an external hd before my clean install - have not plugged it back in since.
This is what my disk utility shows:
Name : FUJITSU MHW2080BHPL Media
Type : Disk
Partition Map Scheme : GUID Partition Table
Disk Identifier : disk0
Media Name : FUJITSU MHW2080BHPL Media
Media Type : Generic
Connection Bus : Serial ATA 2
Device Tree : /PCI0@0/SATA@1F,2/PRT2@2/PMP@0/@0:0
Writable : Yes
Ejectable : No
Mac OS 9 Drivers Installed : No
Location : Internal
Total Capacity : 74.5 GB (80,026,361,856 Bytes)
S.M.A.R.T. Status : Verified
Disk Number : 0
Partition Number : 0
Disk Identifier : disk0s2
Mount Point : /
File System : Mac OS Extended (Journaled)
Connection Bus : Serial ATA 2
Device Tree : /PCI0@0/SATA@1F,2/PRT2@2/PMP@0/@0:2
Writable : Yes
Universal Unique Identifier : A604C698-FE42-3A72-8532-57FA04E5E5C0
Capacity : 74.2 GB (79,682,387,968 Bytes)
Free Space : 60.1 GB (64,549,658,624 Bytes)
Used : 14.1 GB (15,132,729,344 Bytes)
Number of Files : 469,925
Number of Folders : 106,936
Owners Enabled : Yes
Can Turn Owners Off : Yes
Can Repair Permissions : Yes
Can Be Verified : Yes
Can Be Repaired : Yes
Can Be Formatted : Yes
Bootable : Yes
Supports Journaling : Yes
Journaled : Yes
Disk Number : 0
Partition Number : 2
Name : MATSHITA CD-RW CW-8221
Type : Optical Device
Disk Identifier : MATSHITA CD-RW CW-8221
Connection Bus : ATAPI
Connection Type : Internal
Burn Support : Apple Shipping
Writes CD : Yes
Writes DVD : No
Media is present : No
Capabilities : Click for more information
Port scan show only: Open TCP Port: 5101 talarian-tcp
Here's a what console is showing DIRECTLY after a fresh install (sorry if it's too much information..i'm not sure what is pertains and what is normal):
8/16/08 3:23:31 PM com.apple.launchctl.System[2] BootCacheControl: could not open /var/db/BootCache.playlist:
8/16/08 3:23:31 PM com.apple.launchctl.System[2] No such file or directory
8/16/08 3:23:32 PM com.apple.launchctl.System[2] launchctl: Please convert the following to launchd: /etc/mach_init.d/dashboardadvisoryd.plist
8/16/08 3:23:32 PM com.apple.launchd[1] (org.cups.cupsd) Unknown key: SHAuthorizationRight
8/16/08 3:23:32 PM com.apple.launchd[1] (org.ntp.ntpd) Unknown key: SHAuthorizationRight
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] ...Generating key pair...
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] ...creating certificate...
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Serial Number : 0C 62 D3 49
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Issuer Name :
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Common Name : com.apple.systemdefault
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Org : System Identity
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Subject Name :
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Common Name : com.apple.systemdefault
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Org : System Identity
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Cert Sig Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 05 >
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] alg params : 05 00
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Not Before : 22:23:50 Aug 16, 2008
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Not After : 22:23:50 Aug 11, 2028
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Pub Key Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 01 >
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] alg params : 05 00
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Pub key Bytes : Length 140 bytes : 30 81 89 02 81 81 00 E4 ...
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] CSSM Key :
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Algorithm : RSA
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Key Size : 1024 bits
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Signature : 128 bytes : AA 5A 85 A6 B6 CB 67 DA ...
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Other field: : OID : < 06 0C 60 86 48 01 86 F8 4D 02 01 01 01 17 >
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Other field: : OID : < 06 0C 60 86 48 01 86 F8 4D 02 01 01 01 16 >
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Extension struct : OID : < 06 03 55 1D 25 >
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] Critical : FALSE
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] purpose 0 : OID : < 06 09 2A 86 48 86 F7 63 64 04 04 >
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] ..cert stored in Keychain.
8/16/08 3:23:50 PM com.apple.configureLocalKDC[54] ..identity registered for domain com.apple.systemdefault.
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] ...Generating key pair...
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] ...creating certificate...
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Serial Number : 2D FA DD FF
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Issuer Name :
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Common Name : com.apple.kerberos.kdc
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Org : System Identity
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Subject Name :
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Common Name : com.apple.kerberos.kdc
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Org : System Identity
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Cert Sig Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 05 >
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] alg params : 05 00
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Not Before : 22:23:51 Aug 16, 2008
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Not After : 22:23:51 Aug 11, 2028
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Pub Key Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 01 >
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] alg params : 05 00
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Pub key Bytes : Length 140 bytes : 30 81 89 02 81 81 00 CF ...
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] CSSM Key :
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Algorithm : RSA
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Key Size : 1024 bits
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Key Use : CSSM_KEYUSE_ENCRYPT CSSM_KEYUSE_VERIFY CSSM_KEYUSE_WRAP
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Signature : 128 bytes : 71 5B 4A 3F E7 9A BA D3 ...
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Other field: : OID : < 06 0C 60 86 48 01 86 F8 4D 02 01 01 01 17 >
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Other field: : OID : < 06 0C 60 86 48 01 86 F8 4D 02 01 01 01 16 >
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Extension struct : OID : < 06 03 55 1D 25 >
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] Critical : FALSE
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] purpose 0 : OID : < 06 09 2A 86 48 86 F7 63 64 04 04 >
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] ..cert stored in Keychain.
8/16/08 3:23:51 PM com.apple.configureLocalKDC[54] ..identity registered for domain com.apple.kerberos.kdc.
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] launchctl: Error unloading: com.apple.kdcmond
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] /usr/sbin/kadmin.local-q add_principal -randkey afpserver/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] WARNING: no policy specified for afpserver/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A; defaulting to no policy
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] Authenticating as principal root/admin@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with password.
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] Principal "afpserver/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A" created.
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] /usr/sbin/kadmin.local-q ktadd afpserver/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] Authenticating as principal root/admin@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with password.
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] Entry for principal afpserver/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] Entry for principal afpserver/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] Entry for principal afpserver/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
8/16/08 3:23:54 PM com.apple.configureLocalKDC[54] /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal afpserver/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] /usr/sbin/kadmin.local-q add_principal -randkey cifs/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] WARNING: no policy specified for cifs/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A; defaulting to no policy
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Authenticating as principal root/admin@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with password.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Principal "cifs/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A" created.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] /usr/sbin/kadmin.local-q ktadd cifs/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Authenticating as principal root/admin@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with password.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Entry for principal cifs/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Entry for principal cifs/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Entry for principal cifs/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server LocalKerberosRealm LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] /usr/sbin/kadmin.local-q add_principal -randkey vnc/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] WARNING: no policy specified for vnc/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A; defaulting to no policy
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Authenticating as principal root/admin@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with password.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Principal "vnc/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A" created.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] /usr/sbin/kadmin.local-q ktadd vnc/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Authenticating as principal root/admin@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with password.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Entry for principal vnc/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Entry for principal vnc/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] Entry for principal vnc/LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A@LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
8/16/08 3:23:55 PM com.apple.configureLocalKDC[54] LKDC:SHA1.9F502B0D86E33C1A35F68BCD1782F11ABB63929A
8/16/08 3:24:00 PM com.apple.ATSServer[115] FODBCheck: New annex file created
8/16/08 3:24:06 PM [0x0-0x4004].com.apple.SetupAssistant[124] ...System identity already exists for domain com.apple.systemdefault. Done.
8/16/08 3:35:32 PM com.apple.launchd[1] (org.ntp.ntpd) Unknown key: SHAuthorizationRight
8/16/08 3:35:34 PM com.apple.KerberosAutoConfig[201] The machine is standalone
8/16/08 3:35:34 PM com.apple.KerberosAutoConfig[201] Removing /Library/Preferences/edu.mit.Kerberos
thanks..
Advice? Thank you.
Mac OS X 10.5.5 intel core spy infiltration , permissions.
by userplain - 1/19/09 7:58 AM In reply to: Unauthorized remote access/User help by adust1980Exactly how my machine is behaving. I've done one full erase/reinstall. And within a week or two very strange user accounts which I cannot delete and I'm the admin. Also permissions changes not allowing me as admin to even empty the trash. Im not that code savvy but i can see theattempted info hikacks. I take it to apple and the genius is denial. "inconceivable spyware on a mac" he offers create another user and use that for now on. There's gotta be someone that's caught this and killed it.
VNC hacking
by karn - 10/15/09 8:34 PM In reply to: Hacked using remote VNC/tunnel/change of ownership rights. by adust1980Although not quite as popular a target as the Microsoft file server ports 139 and 445, the VNC port 5900 is most definitely a popular attack target. Until I blocked remote access, I regularly saw strange addresses in China or Korea connecting to it. Presumably they were trying to guess its (well chosen) password. On my Mac Pro (which is basically BSD UNIX) I used the following sequence of ipfw commands to restrict access to port 5900 (VNC) to the local machine and my local network:
ipfw add 00100 allow ip from me to me
ipfw add 00150 allow ip from 192.168.1.0/24 to me [this is my local network]
ipfw add 00150 allow ip from (another friendly IP address) to me
ipfw add 0200 reset tcp from any to me dst-port 5900
(other ipfw add commands go here to block remote access to other ports)
I can still access VNC on this system remotely by tunneling it over SSH. Then the connection to VNC on that system comes from the system itself, which is allowed by the first ipfw command (from me to me).
I set up the tunnel by executing this from the shell on my local system:
ssh -C -L5910:127.0.0.1:5900 my.machine.net
This causes SSH to establish an encrypted and compressed tunnel between port 5910 on my local machine and port 5900 on my.machine.net. I then point my local VNC client (I use Chicken of the VNC on my MacBook) to 127.0.0.1 display 10, which translates to port 5900+10=5910. (I don't use local port 5900 because that would conflict with VNC on my local machine.)
You should ALWAYS access VNC over an encrypted tunnel and block direct remote access to the VNC server port. The VNC protocol is quite insecure; it's unencrypted, so you have passwords and all sorts of sensitive stuff flying around in the clear, and it's only protected by a fixed password with no provision for individual accounts when more than one user uses the machine. SSH tunneling provides excellent protection, and the -C flag will additionally provide compression for what is a very high traffic protocol though I'm not sure how much it really helps.
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
