High Sierra 10.13.0 has a serious ssh flaw (exploited in the wild)?
Anyone else noticed this one...?
Take a 10.13.0 system and put it on a public IP with Remote Login enabled (to a single user with a crazy-strong password), and where past systems have sat fine for years with ssh enabled for a single user with a changing password. Within a few days, random system users (MySQL Admin, MySQL Server, FTP Daemon, FTP Admin, Unprivileged user, sshd privileged separation, etc.) start appearing as "Sharing only" in System Preferences-->Users & Groups, until, eventually, root is enabled. Disable root and it gets re-enabled. Change root password and it gets re-changed to something else. Delete the "Sharing only" users and they (or others) eventually come back (and some should rarely ever exist, like the _www user) and more get added. Clean the Mac with new users/passwords and watch it all happen even faster (it's not brute force, but they now know you're running 10.13.0 and hit you faster, it seems?).
Replace the 10.13.0 system with a 10.12.6 one and you're (relatively/respectively/comparatively) fine.
DO NOT ENABLE Remote Login on 10.13.0 at all, but if you must make sure to setup a firewall (kudos to Murus, which helps with obtuse pf and since the built-in firewall is app-only, no IP restrictions).
NOTE: Yes, not having a firewall is bad form, but this 10.13.0 issue is serious and does not happen with prior OS X releases, and the above effectively simulates what you can expect with BYOD, when a bunch of users start bringing this pwned junk into your network...
I'm not sure exactly how it's being exploited, but I have seen this three times already, so there's something amiss.
macOS High Sierra (10.13), null
