Page 1 of 2

Anyone ever seen this? Someone just hacked into my Mac

Posted: Sun Apr 08, 2007 11:40 am
by Chris Corbyn
So here I am, sat at a windows PC in my lounge, VNC'd into my Mac upstairs, typing in XCode. Then suddenly random code started appearing the editor which I wasn't typing, so I sat and watched. They were trying to run windows commands form inside my editor (screwing my YAML code up too!).

Here's wht they managed to type before I very quickly killed VNC.

Code: Select all

doc_api_method:
      _attributes:    { phpName: ApiMethod }
      id:
      class_id:       { type: integer, foreignTable: doc_api_class, foreignReference: id }
      name:           varchar(255)
      synopsis:       varchar(255)
      body:           text
      index:          integer
      created_at:
    doc_oot5\system32\cmd.exe
    cmd /c echo open
    
    
    5systemr
See where it goes all screwy after created_at: ?

Scary. I'm in a DMZ on the Mac so I'm gonna have to get it firewalled pretty quickly. I don't run the VNC service all the time. I just turn it on for the hour or so I sit in the lounge but that's put me off running it full-stop 8O

Posted: Sun Apr 08, 2007 11:51 am
by jayshields
That's pretty scary, but if I was you I'd of had some fun. While they were typing you should've typed "Hello Stranger, I can see you're in my Mac. Stop typing now or I will burn your house down you #'][#';89^*&%%^$!". Haha.

Posted: Sun Apr 08, 2007 11:55 am
by Benjamin
I have to wonder what the point of entry was. I would assume it was the Windows PC. That is strange though.

Posted: Sun Apr 08, 2007 12:03 pm
by Chris Corbyn
astions wrote:I have to wonder what the point of entry was. I would assume it was the Windows PC. That is strange though.
No, the Mac is in a DMZ so it's totally exposed to the web. The PC is behind the router so for anyone to get to the PC they'd have to hack into my Mac then go to a LAN IP from there. Usually all I'm running is SSH (root disabled) and Samba (only on the LAN). It's only because I was running VNC at the time that they go on so easily. VNC isn't known for being the most secure protocol in the world. I'm curious if they had visual output or just command line because if they could see my Mac's screen I have no clue what they thought they'd acheive by typing in my text editor --- windows commands on a mac :?

Posted: Sun Apr 08, 2007 12:09 pm
by Jenk
Sure it was a person and not a time-delayed script? A lot of scripts used these days have time delays between transmissions to avoid security alerts. Especially on RD hijacks and/or terminal hijacks.

Posted: Sun Apr 08, 2007 12:16 pm
by Chris Corbyn
No idea. It was appearing in front of me at the same sort of speed as a human would type. I sort of wish I hadn't killed the session now because they were going to do little harm in a plain-text editor really. It could have been quite amusing to figure out the remote IP whilst they were connected and see if I could wind them up myself.

Reet, I'm off to an egg painting competition and BBQ in Manchester to have a few drinks (and ermm... paint some eggs) (Aqua Bar for anyone in the region who's wondering).

Happy Easter guys! :)

Posted: Sun Apr 08, 2007 3:07 pm
by RobertGonzalez
Happy Easter d11 (and everyone else). Maybe you can catch that craptard again and jam him on it.

Posted: Sun Apr 08, 2007 6:18 pm
by jason
Sorry.

That wasn't supposed to happen.

You weren't supposed to see that.

/me hides under his rock again.

Posted: Sun Apr 08, 2007 6:41 pm
by Buddha443556
d11, did you eliminate the possibility this was an inside job? I vaguely remember your flatmate pranking you on New Years.

Happy Easter!

Posted: Sun Apr 08, 2007 8:40 pm
by dreamscape
If your Mac is accessible over the web, then it was probably an automated script searching for servers with certain Windows exploits... there are tons of them running, and not much you can do about them other than kind of giggle and move on. If you run a server, you know what I'm talking about...

Though why it'd show up in XCode I dunno... that part is a bit strange.

Posted: Mon Apr 09, 2007 6:28 am
by Chris Corbyn
Buddha443556 wrote:d11, did you eliminate the possibility this was an inside job? I vaguely remember your flatmate pranking you on New Years.

Happy Easter!
:lol: Forgot about that. Nah, she's a chick who's not computer savvy and she was getting changed in her room (no computer) at the time so i can rule that one out :)
dreamscape wrote:If your Mac is accessible over the web, then it was probably an automated script searching for servers with certain Windows exploits... there are tons of them running, and not much you can do about them other than kind of giggle and move on. If you run a server, you know what I'm talking about...

Though why it'd show up in XCode I dunno... that part is a bit strange.
Yeah. Well, when I check my server logs a get *a lot* of "POSSIBLE BREAK IN ATTEMPT" in the logs but they're almost always dictionary-bots trying passwords over SSH. I guess it probably was a bot. Just gonna firewall VNC off on my router so it can't happen again in future. I never use VNC from the web to get to my Mac, I just use it within my house.

Posted: Tue Apr 10, 2007 3:22 am
by JayBird
I have had this on my windows based server that is also running VNC. They open the "run" box and and execute a load of commands.

Posted: Tue Apr 10, 2007 3:27 am
by Chris Corbyn
VNC must be worryingly insecure. Maybe I'll try tunneling it through SSH and launch it via cygwin/X.

Posted: Tue Apr 10, 2007 3:29 am
by Kieran Huggins
do you have a password set in VNC?

Posted: Tue Apr 10, 2007 3:29 am
by Jenk
VNC is quite weak for security. I don't know of any other free alternatives.