Anyone ever seen this? Someone just hacked into my Mac

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Anyone ever seen this? Someone just hacked into my Mac

Post by Chris Corbyn »

So here I am, sat at a windows PC in my lounge, VNC'd into my Mac upstairs, typing in XCode. Then suddenly random code started appearing the editor which I wasn't typing, so I sat and watched. They were trying to run windows commands form inside my editor (screwing my YAML code up too!).

Here's wht they managed to type before I very quickly killed VNC.

Code: Select all

doc_api_method:
      _attributes:    { phpName: ApiMethod }
      id:
      class_id:       { type: integer, foreignTable: doc_api_class, foreignReference: id }
      name:           varchar(255)
      synopsis:       varchar(255)
      body:           text
      index:          integer
      created_at:
    doc_oot5\system32\cmd.exe
    cmd /c echo open
    
    
    5systemr
See where it goes all screwy after created_at: ?

Scary. I'm in a DMZ on the Mac so I'm gonna have to get it firewalled pretty quickly. I don't run the VNC service all the time. I just turn it on for the hour or so I sit in the lounge but that's put me off running it full-stop 8O
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

That's pretty scary, but if I was you I'd of had some fun. While they were typing you should've typed "Hello Stranger, I can see you're in my Mac. Stop typing now or I will burn your house down you #'][#';89^*&%%^$!". Haha.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I have to wonder what the point of entry was. I would assume it was the Windows PC. That is strange though.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

astions wrote:I have to wonder what the point of entry was. I would assume it was the Windows PC. That is strange though.
No, the Mac is in a DMZ so it's totally exposed to the web. The PC is behind the router so for anyone to get to the PC they'd have to hack into my Mac then go to a LAN IP from there. Usually all I'm running is SSH (root disabled) and Samba (only on the LAN). It's only because I was running VNC at the time that they go on so easily. VNC isn't known for being the most secure protocol in the world. I'm curious if they had visual output or just command line because if they could see my Mac's screen I have no clue what they thought they'd acheive by typing in my text editor --- windows commands on a mac :?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Sure it was a person and not a time-delayed script? A lot of scripts used these days have time delays between transmissions to avoid security alerts. Especially on RD hijacks and/or terminal hijacks.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

No idea. It was appearing in front of me at the same sort of speed as a human would type. I sort of wish I hadn't killed the session now because they were going to do little harm in a plain-text editor really. It could have been quite amusing to figure out the remote IP whilst they were connected and see if I could wind them up myself.

Reet, I'm off to an egg painting competition and BBQ in Manchester to have a few drinks (and ermm... paint some eggs) (Aqua Bar for anyone in the region who's wondering).

Happy Easter guys! :)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Happy Easter d11 (and everyone else). Maybe you can catch that craptard again and jam him on it.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Sorry.

That wasn't supposed to happen.

You weren't supposed to see that.

/me hides under his rock again.
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

d11, did you eliminate the possibility this was an inside job? I vaguely remember your flatmate pranking you on New Years.

Happy Easter!
User avatar
dreamscape
Forum Commoner
Posts: 87
Joined: Wed Jun 08, 2005 10:06 am
Contact:

Post by dreamscape »

If your Mac is accessible over the web, then it was probably an automated script searching for servers with certain Windows exploits... there are tons of them running, and not much you can do about them other than kind of giggle and move on. If you run a server, you know what I'm talking about...

Though why it'd show up in XCode I dunno... that part is a bit strange.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Buddha443556 wrote:d11, did you eliminate the possibility this was an inside job? I vaguely remember your flatmate pranking you on New Years.

Happy Easter!
:lol: Forgot about that. Nah, she's a chick who's not computer savvy and she was getting changed in her room (no computer) at the time so i can rule that one out :)
dreamscape wrote:If your Mac is accessible over the web, then it was probably an automated script searching for servers with certain Windows exploits... there are tons of them running, and not much you can do about them other than kind of giggle and move on. If you run a server, you know what I'm talking about...

Though why it'd show up in XCode I dunno... that part is a bit strange.
Yeah. Well, when I check my server logs a get *a lot* of "POSSIBLE BREAK IN ATTEMPT" in the logs but they're almost always dictionary-bots trying passwords over SSH. I guess it probably was a bot. Just gonna firewall VNC off on my router so it can't happen again in future. I never use VNC from the web to get to my Mac, I just use it within my house.
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

I have had this on my windows based server that is also running VNC. They open the "run" box and and execute a load of commands.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

VNC must be worryingly insecure. Maybe I'll try tunneling it through SSH and launch it via cygwin/X.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

do you have a password set in VNC?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

VNC is quite weak for security. I don't know of any other free alternatives.
Post Reply