SecurityFocus

Month of Apple Bugs Dec 19 2006 03:33PM
mfossi securityfocus com (4 replies)

Re: Month of Apple Bugs Dec 20 2006 04:54PM
jot (jot cotse net) (2 replies)

Re: Month of Apple Bugs Dec 20 2006 07:01PM
Mark Senior (senatorfrog gmail com) (2 replies)

Re: Month of Apple Bugs Dec 20 2006 11:32PM
K F $lists$ (kf_lists digitalmunition com)

Re: Month of Apple Bugs Dec 20 2006 10:39PM
Dave Schroeder (das doit wisc edu)

Re: Month of Apple Bugs Dec 20 2006 05:12PM
Dave Schroeder (das doit wisc edu)

Re: Month of Apple Bugs Dec 19 2006 04:56PM
Dave Schroeder (das doit wisc edu) (1 replies)

Re: Month of Apple Bugs Dec 19 2006 07:10PM
K F $lists$ (kf_lists digitalmunition com)

Re: Month of Apple Bugs Dec 19 2006 04:16PM
Philippe Devallois (phdevallois intego com) (3 replies)

Re: Month of Apple Bugs Dec 20 2006 12:51AM
David Fedoruk (david fedoruk gmail com) (1 replies)

Re: Month of Apple Bugs Dec 20 2006 02:39PM
Dave Schroeder (das doit wisc edu)

On Dec 19, 2006, at 6:51 PM, David Fedoruk wrote:

> Hello
>
> This report is indeed interesting since the possibility of an "IRC"
> bot being installed has come up on the Mac OS X Server list recently.
> But I have to say that the lack of specificity about which "bot" they
> are talking about leads me to believe that its really an unknown
> quantity.
>>
>> Thanks, but before that, you may look at this report:
>>
>> http://lists.apple.com/archives/macos-x-server/2006/Dec/msg00422.html
>
> Again, people who *should* know, don't seem to mention which bot ro
> who wrote it. I have some continuing interest in this issue because I
> have, in the past run an "IRC" bot. It is a GNU GPL project called
> Eggdrop. It is the original IRC bot designed to preserve the integrity
> and security of IRC channels before the existence of IRC Services.

The IRC "bot" I have seen several times in this context, which
usually gets installed because a vulnerable php web application (a
php shell usually gets installed, too) is psyBNC.

It's probably not eggdrop, and it's unlikely that people on the local
machine are installing it.

Every time, to date, that I have seen a Mac OS X Server system
compromised, it has been via one of two channels:

- ssh attack, and an account such as "test/test", "temp/temp", "carol/
carol", or "mike/password", or similar has been confirmed to have
existed. In this instance, the user account itself gets used for
malicious purposes, almost invariably to send spam or run an IRC
bouncer.

- compromise via vulnerable php web application, for which there is
almost invariably a patch, but the person has never installed it. In
this case, the software that is uploaded it usually a php shell and
other tools, all of which are owned by 'www'. They are usually placed
somewhere within the hierarchy of a web site where appropriate
permissions exist, or in /tmp or /var/tmp. In this case, I almost
always see the psyBNC IRC bouncer/"bot", which allows the host to,
among other things, be used as a file sharing host.

Sometimes in either scenario, the attackers will install a toolkit/
rootkit that tries to take advantage of issues specific to the
platform. Some of these kits are now aware of Darwin/Mac OS X.

But the point is that the initial mode of compromise are NOT via any
shortcomings or vulnerabilities in Mac OS X/Mac OS X Server itself.
It's always via a (usually ridiculously-)weak account password via
ssh, or via a vulnerable php web application (like forum software,
blog, wiki, etc., which could have been updated, but wasn't).

- Dave0? *?H?÷
?0?10 +0? *?H?÷
?,0?ô0?] DM0
*?H?÷
0S10 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
*?H?÷
0?èHQÜ%wË ktëùNßM}V?ïÈ¶Â#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íGÌª»´V ?ëùçe><|¯÷?°
æp;?Ã??£?0?0Uÿ?0U?RRbG,k,¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0Uÿ0ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
*?H?÷
%ñDX3wçÖ×ª· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>Ù¬ÐDÓ±Ü-++?ü}£Z??d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?00??
0
*?H?÷
0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
060921213052Z
070921213052Z0¾10 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!UFaculty - Staff - Students10UDavid Schroeder1 0 *?H?÷
das (at) doit.wisc (dot) edu0 [email concealed]?0
*?H?÷
0????èöÆ?³G¡J[¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?Ý?ÕÍnæ?y
>ªÛ% ?ä¹£p0n0Uÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,¸iñ©7,#$0
*?H?÷
¯?Ïè®`:ÍDD?¼7µ(?AÞÈæZ_?ÙxmæÀ!ÖÓr?óÌ~X²8Æ¯â"ô0%¶Â¸:Â!Í?ü?KË
CÏ?6õëÒ?5Ñ¬?
:Ñat¡q"ÙöïÍA???±},ßª&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?§0 *?H?÷
1 *?H?÷
0 *?H?÷
1
061220143915Z0# *?H?÷
1E¹Ä?Pã©2"f9AG±7éld0¡ +?71?00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£*?H?÷
1? 0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0
*?H?÷
?Jø?&ÂÁYÒ?"+G?y[öØ?xû¼Çýò'.üló±80uÒà¿?1?? u©Ê%Ò|ë%NdÞÐ??ðC:ýaî?´«?í?ö?êá,M?óLÑÒõøÃæÎmþU#³?:ÿ:?¦?ÅB?Igñ?c[ÇÙ-Ø

[ reply ]

Re: Month of Apple Bugs Dec 19 2006 07:03PM
david (macosxforme gmail com)

Re: Month of Apple Bugs Dec 19 2006 05:25PM
Dave Schroeder (das doit wisc edu) (1 replies)

Re: Month of Apple Bugs Dec 19 2006 05:58PM
Philippe Devallois (phdevallois intego com)

Re: Month of Apple Bugs Dec 19 2006 04:07PM
david (macosxforme gmail com)