!! Password not working... Result of TROJAN/BOT !!

Question

Level 1

130 points

!! Password not working... Result of TROJAN/BOT !!

I noticed today after being out of town for the holidays that my password was no longer working when trying to administer things... I ended up having to log in as root and reset the password for my other accounts.

i also noticed in moving through the finder that in my home folder there was now an unnamed folder and inside is a folder named "botdarwin"

upon checking my bash history i discovered quite a few terminal commands had been run also.

any of the terminal guys able to decipher exactly what they were trying to accomplish?

i have a screen shot of the folder structure as well as a list of terminal commands that were executed here:

http://file.meyersproduction.com/botdarwin

I'm not sure what the attack vector was because other people have access to my computer. I'll be thoroughly quizzing them later today.

2.8 dual quad macPro, Mac OS X (10.5.5), 7GB ram x1900 FCS 2 1TB RAID 0

Posted on Dec 1, 2008 12:17 PM

Reply

Answer 1

nerowolfe

Level 6

13,090 points

Dec 1, 2008 12:58 PM in response to austin m

austin m wrote:
I noticed today after being out of town for the holidays that my password was no longer working when trying to administer things... I ended up having to log in as root and reset the password for my other accounts.

i also noticed in moving through the finder that in my home folder there was now an unnamed folder and inside is a folder named "botdarwin"

upon checking my bash history i discovered quite a few terminal commands had been run also.

any of the terminal guys able to decipher exactly what they were trying to accomplish?

i have a screen shot of the folder structure as well as a list of terminal commands that were executed here:

http://file.meyersproduction.com/botdarwin

I'm not sure what the attack vector was because other people have access to my computer. I'll be thoroughly quizzing them later today.

When you do find out who did this, perhaps its time to stop letting other people use your computer and certainly never give them your administrator account password.
Clearly this is not a Leopard or OS problem, but one of a security breach on your part.

Prevention is the first step. Lock down your computer securely.
It's not a trojan bot, it's lack of security. The problem did not come in via the network, but via some user's fingers.

Message was edited by: nerowolfe

Reply

Answer 2

austin m Author

Level 1

130 points

Dec 1, 2008 1:02 PM in response to nerowolfe

I am fully aware of what a trojan is and how it operates, i only post this for other who might not be so savvy as to why their password no longer works.

only myself and one other person have access to this machine, and that other person is going to get a nice talking to later.

Reply

Answer 3

austin m Author

Level 1

130 points

Dec 1, 2008 2:08 PM in response to austin m

so after talking to the other user of my comp, they insist that they didn't download or install anything.

that said i did have some ports open to the internet, but my router wasn't properly configured for them to be accessible from the internet. i had SSH, web sharing, print sharing, and remote management turned on. i know for a fact it wasn't accessible because i couldn't ssh in or vpn in whilst i was out of town.

Reply

Answer 4

biovizier

Level 5

7,925 points

Dec 1, 2008 4:18 PM in response to austin m

..." i know for a fact it wasn't accessible because i couldn't ssh in or vpn in whilst i was out of town."...

Can that be taken as conclusive given that you said your password had been changed?

Reply

Answer 5

Dec 1, 2008 4:23 PM in response to austin m

I'm not going to open the file, but it looks like a program to provide random chat replies...perhaps in iChat, or maybe for a game or some other chat service. In that sense it may just be a "chat" bot. Still, I'd not chance anything.

Reply

Answer 6

Jane Knox

Level 3

691 points

Dec 1, 2008 4:38 PM in response to austin m

I found this at darwin bots dot com

Darwinbots is an open source artificial life simulator which attempts to simulate artificial life and evolution. It simulates Von Neuman Machines (and Von Neumann probes like the Monolith) better than it simulates biological life necessarily.

and

Darwinbots is an Artificial Life simulator that merges the gameplay of C-Robots type arena combat with adaptive asexual population dynamics.

Have you downloaded a game or something similar?

Reply

Answer 7

austin m Author

Level 1

130 points

Dec 1, 2008 4:40 PM in response to biovizier

i hadn't been able to remotely access my machine prior to the hack due to my port forwarding not being set up correctly.

some folks over at macrumors said it's the energymech iRC bot

Reply

Answer 8

biovizier

Level 5

7,925 points

Dec 1, 2008 4:52 PM in response to Jane Knox

Similar name, but something different, I think. It does look like it is "energymech".

Reply

Answer 9

edclange

Level 5

4,374 points

Dec 2, 2008 11:23 AM in response to austin m

Is there anything interesting in the output of the "last" command (in Terminal)?

If it's an IRC bot, and it's still running, you might be able to figure out what IRC server and channel it's using with the "netstat -a" command in Terminal. This will show all of the established TCP connections on your machine.

If your intruder's trail is in your shell history, chances are there are other trails. Poke around in the Console application, or the files in /var/log.

There's a sendmail executable in your screen capture. This means that the bot has the capability of sending e-mail. That could be bad news.

Bottom line is, your machine has been compromised. You should wipe it clean and reinstall it from scratch.

Reply