9 Replies Latest reply: Dec 2, 2008 11:23 AM by edclange
austin m Level 1 Level 1 (125 points)
I noticed today after being out of town for the holidays that my password was no longer working when trying to administer things... I ended up having to log in as root and reset the password for my other accounts.

i also noticed in moving through the finder that in my home folder there was now an unnamed folder and inside is a folder named "botdarwin"

upon checking my bash history i discovered quite a few terminal commands had been run also.

any of the terminal guys able to decipher exactly what they were trying to accomplish?


i have a screen shot of the folder structure as well as a list of terminal commands that were executed here:

http://file.meyersproduction.com/botdarwin

I'm not sure what the attack vector was because other people have access to my computer. I'll be thoroughly quizzing them later today.

2.8 dual quad macPro, Mac OS X (10.5.5), 7GB ram x1900 FCS 2 1TB RAID 0
  • nerowolfe Level 6 Level 6 (13,070 points)
    austin m wrote:
    I noticed today after being out of town for the holidays that my password was no longer working when trying to administer things... I ended up having to log in as root and reset the password for my other accounts.

    i also noticed in moving through the finder that in my home folder there was now an unnamed folder and inside is a folder named "botdarwin"

    upon checking my bash history i discovered quite a few terminal commands had been run also.

    any of the terminal guys able to decipher exactly what they were trying to accomplish?


    i have a screen shot of the folder structure as well as a list of terminal commands that were executed here:

    http://file.meyersproduction.com/botdarwin

    I'm not sure what the attack vector was because other people have access to my computer. I'll be thoroughly quizzing them later today.


    When you do find out who did this, perhaps its time to stop letting other people use your computer and certainly never give them your administrator account password.
    Clearly this is not a Leopard or OS problem, but one of a security breach on your part.

    Prevention is the first step. Lock down your computer securely.
    It's not a trojan bot, it's lack of security. The problem did not come in via the network, but via some user's fingers.

    Message was edited by: nerowolfe
  • austin m Level 1 Level 1 (125 points)
    I am fully aware of what a trojan is and how it operates, i only post this for other who might not be so savvy as to why their password no longer works.

    only myself and one other person have access to this machine, and that other person is going to get a nice talking to later.
  • austin m Level 1 Level 1 (125 points)
    so after talking to the other user of my comp, they insist that they didn't download or install anything.

    that said i did have some ports open to the internet, but my router wasn't properly configured for them to be accessible from the internet. i had SSH, web sharing, print sharing, and remote management turned on. i know for a fact it wasn't accessible because i couldn't ssh in or vpn in whilst i was out of town.
  • biovizier Level 5 Level 5 (7,925 points)
    ..."i know for a fact it wasn't accessible because i couldn't ssh in or vpn in whilst i was out of town."...

    Can that be taken as conclusive given that you said your password had been changed?
  • Topher Kessler Level 6 Level 6 (9,790 points)
    I'm not going to open the file, but it looks like a program to provide random chat replies...perhaps in iChat, or maybe for a game or some other chat service. In that sense it may just be a "chat" bot. Still, I'd not chance anything.
  • Jane Knox Level 3 Level 3 (690 points)
    I found this at darwin bots dot com
    Darwinbots is an open source artificial life simulator which attempts to simulate artificial life and evolution. It simulates Von Neuman Machines (and Von Neumann probes like the Monolith) better than it simulates biological life necessarily.

    and
    Darwinbots is an Artificial Life simulator that merges the gameplay of C-Robots type arena combat with adaptive asexual population dynamics.

    Have you downloaded a game or something similar?
  • austin m Level 1 Level 1 (125 points)
    i hadn't been able to remotely access my machine prior to the hack due to my port forwarding not being set up correctly.

    some folks over at macrumors said it's the energymech iRC bot
  • biovizier Level 5 Level 5 (7,925 points)
    Similar name, but something different, I think. It does look like it is "energymech".
  • edclange Level 3 Level 3 (900 points)
    Is there anything interesting in the output of the "last" command (in Terminal)?

    If it's an IRC bot, and it's still running, you might be able to figure out what IRC server and channel it's using with the "netstat -a" command in Terminal. This will show all of the established TCP connections on your machine.

    If your intruder's trail is in your shell history, chances are there are other trails. Poke around in the Console application, or the files in /var/log.

    There's a sendmail executable in your screen capture. This means that the bot has the capability of sending e-mail. That could be bad news.

    Bottom line is, your machine has been compromised. You should wipe it clean and reinstall it from scratch.