Xmas Port Scan Attack From A Friendly Mac ??

Discussion in 'Apple' started by Kurt R. Todoroff, Jul 8, 2006.

  1. A couple of years ago, I installed both OSXVNC and Chicken Of The VNC on
    my G4 iMac, my wife's G4 iMac, and my father's G5 iMac. This allows me
    to update their software, and perform periodic maintenance on their
    computers from my house. Conversely, if I am at their locations, I can
    access my home Mac. This arrangement has worked well for us.

    This morning, I was showing somebody how to access their router's
    activity logs by using my Mac. I rarely look at the logs. In doing so,
    I discovered the following:

    Xmas port scan attack from WAN (ip:xxx.xxx.xxx.xxx) detected.

    or

    SYN-ACK port scan attack from WAN (ip:xxx.xxx.xxx.xxx) detected.

    and others.

    These log entries occur every day for the duration of the router log
    (forty pages of logs). The attacks occur once or twice a day. However,
    I am quite puzzled that one of the Xmas port scan attacks is coming from
    my father's Mac WAN IP address. This is especially puzzling because:

    A: my parents were out of town at the time that the log states
    the attack occurred (his computer was turned on, and I was
    able to access it via VNC),

    B: my father wouldn't have a clue how to do this

    C: my father downloads movies and pictures from email, however
    he doesn't download applications. I check his Mac from time
    to time to verify this.

    This has me stumped. Is anyone familiar with this behavior?

    Thank you.

    --


    Kurt Todoroff


    Markets, not mandates and mob rule.
    Consent, not coercion.
     
    Kurt R. Todoroff, Jul 8, 2006
    #1
    1. Advertisements

  2. Kurt R. Todoroff

    D P Schreber Guest

    My first guess is that someone hacked the machine by using the very same
    vnc service -- not hard to do unless you were _very_ careful in choosing
    a password. Leaving a vnc server running on the open internet is not a
    particularly good idea.

    What other services are open on this machine?

    Although theoretical exploits exist, there is currently no known malware
    in the wild that could compromise a Mac through this means. If your
    parents' Mac has been hacked, the hacker almost certainly went through
    an open service, not through a virus or the like. Eventually virii will
    be a problem for osx, but they're not at the moment.

    Another possibility is that your router is mistaking ordinary traffic
    for an attack attempt. But that doesn't seem very likely for a port
    scan.
     
    D P Schreber, Jul 8, 2006
    #2
    1. Advertisements

  3. Kurt R. Todoroff

    Tom Stiller Guest

    Not too risky if you use public key encryption for SSH login and only
    allow local connections to VNC so remote users have to tunnel the VCN
    connection via SSH.

    [snip]
     
    Tom Stiller, Jul 8, 2006
    #3
  4. Kurt R. Todoroff

    D P Schreber Guest

    None of which the OP ever mentioned even in passing, though as it
    happens this is why I asked him what other services he had running. But
    you decided to snip that part:
    What a clever fellow!

    And what a wasteland usenet has turned into...
     
    D P Schreber, Jul 9, 2006
    #4
  5. Kurt R. Todoroff

    Tom Stiller Guest

    And you cleverly omitted your comment "Leaving a vnc server running on
    the open internet is not a particularly good idea" to which I was
    responding.
    more's the pity.
     
    Tom Stiller, Jul 9, 2006
    #5
  6. Kurt R. Todoroff

    D P Schreber Guest


    If the vnc server is only accessible on localhost though an ssh tunnel,
    then it isn't "running on the open internet", now is it? Or do you not
    understand the distinction?

    If the OP's parents' Mac is "running a vnc server on the open internet",
    then he should be looking there as a possible channel of compromise. Mr
    Stiller's irrelvant blather notwithstanding, leaving such a server
    running is not a good idea without taking special measures regarding
    passwords, though it's ok to turn it on briefly when his parents need
    assistance. Either way, whether the vnc server is open or not, we (ie,
    those of us who actually want to help the OP), need to know what other
    open services are running, including but not restricted to ssh.
     
    D P Schreber, Jul 9, 2006
    #6
  7. Kurt R. Todoroff

    Tom Stiller Guest

    I guess I just don't get it. Accessibility by any one with the proper
    keys from anywhere in the world constitutes running on the open internet
    to me, but then I'm not as picky as some.
    I'll let the OP decide if my comments constitute "irrelvant blather",
    your opinion doesn't matter.
     
    Tom Stiller, Jul 9, 2006
    #7
  8. Kurt R. Todoroff

    D P Schreber Guest


    Let's try this again.

    For now we should assume that your parents' Mac has been compromised.
    It might not have been -- we don't have enough information yet to say
    one way or the other. So no action is required yet. But if it has
    been, you need to wipe the disc and reinstall, and you need to configure
    the machine more securely. The answers to the questions below will help
    determine where your parents' machine might have security holes, and
    should suggest ways you might fix them.

    1. Is the vnc server open (ie directly accessible), or is it only
    accessible through tunneling?

    2. If the server is open, is the port it's using protected in any way
    via firewalling? For example did you add a manual firewall rule so that
    it would only accept vnc connection requests from your machine?

    3. Did you choose a vnc password that's not crackable through a simple
    dictionary attack? Do you change the password often or does it stay
    fixed? Have you sent the password via email? Is it stored anywhere in
    an unencrypted way?

    4. Does, or can, OSXvnc keep a log of connection requests? If it has a
    log, have you looked at it?

    5. When you connect via vnc, does it come up logged in or does it come
    up with the osx login screen? If it's already logged in, is it logged
    in to an admin account?

    6. What other open servers, if any, are running on that Mac? Are they
    firewalled or protected in any way? If they use password authentication,
    are the passwords safe? Do these servers keep logs of connections?
     
    D P Schreber, Jul 9, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.