Intruder Alert

One of the keys to computer security is monitoring key system files to see if they’ve been secretly modified. (See this CERT note for more information.) To that end I run a nifty little utility from Brian Hill called Checkmate on my Macs. Last night Checkmate found traces of an intruder on my iBook.
Three files had recently been changed: sshd, slogin, and du. The first two are for secure login to my system, the last is a unix tool called disk usage, used to check how full the drives are. An innocuous (and little used) system file like du is a good place for a hacker to store a trojan horse program. Modifying sshd and slogin is a well-known way to capture the root password (see Mike Chandler’s post on the message boards). I hadn’t changed either program recently, nor had any system updates. The modified files were clear evidence of an intrusion on my system.

There was no evidence of tampering in the system logs (no surprise there – any hacker worth his salt would have fixed that), but I quickly changed all my passwords, replaced the effected system files, and checked all my security settings.

What surprises me is that I have always considered this system to be basically secure. I run the built-in FreeBSD firewall, ipfw, on it all the time. I used Brian Hill’s Brickhouse to configure it and I’m pretty sure I tightened everything down. At home it’s sitting behind two NAT servers, my Linksys router and an Airport which should make the system hard to see on the net. At work it’s on the firewall protected corporate net (no idea how secure THAT is however – I know of at least one successful hack on it – but I have to think it’s at least as secure as my own system). My iBook passes the ShieldsUp test with flying colors (all green). nmap shows all ports closed.

The weak link is the Airport wireless network. I can only think that someone got in through the wireless LAN either at home or, more likely, at the studio. 802.11b security is notoriously weak. But I use Airport everywhere and I’m just not willing to stop. (OK I’m a wireless LAN addict – I admit it.)

I probably should reformat the hard drive and reinstall everything from scratch, but it’s just too much work. There’s nothing on here that’s particularly private, and the firewall prevents the system from being used in a DDOS attack. So I’m just going to continue as before, making regular backups of my data, and keeping an eye out for other suspicious activity.

I guess the moral of all this is that, even with reasonable precautions, any system is hackable. I don’t think the average user can be expected to do more than run a firewall and cross his fingers. And that means that hackers will continue to have free run of the net. We’ll just have to learn to live with them. Like cockroaches. But it’s good to remember that they’re out there, and that there are some things we all need to do to keep them at least a little in check.

45 Replies to “Intruder Alert”

  1. Maybe it was Lurker! :o)
    ( …lurking…lurking…lurking… )
    yes…i am just kidding!

  2. Wow. Thanks for the info, a good reminder to everyone to keep an eye on their own systems.
    Perhaps some sort of segment on the show about security on Macs would be good….I’m new to the platform and I’m not really sure how to properly protect and identify problems.
    See you in Iowa, where,btw, I hear there will be wireless connectivity. Cool.

  3. Wow! Very interesting information! I’ve been trying to explain to my boss the importance of taking certain precautions on his computers at work and also at his house. Maybe this will convince him I’m not just looking for more time on the clock! Thanks for sharing!

  4. I am still at a loss as to how the hacker broke in. I use very strong system passwords and don’t run as root. I did run Apache and Webstar web servers for a few weeks – maybe he exploited a hole in one of those to get into the system.
    Whoever it was must have been VERY determined.

  5. Heh, yeah Leo. Sorry about that. I was just goofing around, really. You know, had nothing better to do, and all. Maybe having “trousersnake” as your password isn’t such a good idea … ^_^
    I kid. Actually, I’m sorry it happened. I had a virus hit my computer a few months ago, and it wasn’t even my fault! The computers here are networked to share the DSL connection, and one of my roommates downloaded an e-mail attachment from, you guessed it, someone he didn’t know (“I thought it was so-and-so” … ya thought wrong!). And I know there’s a difference between getting a virus and being hacked. But, I think the feeling of exposure/vulnerability is similar.
    Hope everything works out for ya! Keep it real, L man. 😉

  6. I used to think “I’m just a little nobody–who’d want to go to the trouble of invading my system.” But an incident that happened about a month ago made me wonder: I did a routine skandisk & defrag (which I’ve done many times on the same machine), turned the thing off, & when I tried to turn it back on again I couldn’t even boot. I have an emergency boot floppy which worked, but the bottom line was that I had to format & partition the hard drive, & then reinstall everything. Luckily I had a month-old backup of my data on CD so I didn’t loose too much. (The up-side is that now it runs clean as a whistle!) I’ve been using PCs at home & work for 7 years now, & feel like I pretty much know what I’m doing, so I can’t figure out what went wrong… However, I do have cable internet access, & I don’t use Zone Alarm or anything. So now you’re making me think more seriously about security. More segments on TSS about basic protections would be greatly appreciated.

  7. Glad nothing too drastic happened. Like you said, we all have to realize that their are hackers out there and we just have to make sure we take precautions and live with it.

  8. You’ll be talking about this on the show soon, right? Thanks for the cool links. 🙂

  9. My site ( was hacked about two weeks ago by a group called the Web_Angels. It was my hosts fault though, they had been doing some upgrades and stuff on their server and left the frontpage extensions wide open. Because of it, you could go to Frontpage and open web and go right into my site without any kind of login. The hackers even used frontpage to build their little “we ownz you” thing on there.

  10. Whats up with the censoring of the blog? Come on Leo. We all want to know if you still have a job, is TSS safe or is TechTV going dark soon? Whats the word?

  11. Wow. Before I was half way down and before you revealed the answer as soon as you mentioned the Airport I knew that could be it. I really think there are more holes in wifi than we want to admit. Most probably due to software problems not related to how well we followed the setup directions. Same thing happened to me , in a way. I set up a Linksys wifi sysytem and the first thing I did was make sure I had set my (WEP)encryption at 128 and assigned a unique password etc. Then I, of course, matched those settings for my PC wifi card for my laptop. Everything looked secure; just as all the documentation and online rescources I had studied indicated. Much to my surprise, a friend of mine came over about a week after I had set it up and when he inserted his wifi card in his laptop he was instantly using my net access and able to see and modify the one partition I was sharing on one of my computers. This had me REALLY perplexed. I double and triple checked everything. It was correct.
    I completely unistalled all my configurations and software as well as re flashed the BIOS of the linksys machine (same build…the latest) and reset everything. This time when I checked I was secure. What was the problem? Who knows. A glitch in the software or something.
    I suggest anyonme running any 80211 network double, triple and quadruple check that they really are secure.
    I don’t run webservers or know anything about Apple OS but just knowing that someone could have been listening to my private MP3’s of “The Brady’ Bunch’s Greatest Hits” gives me the creepy crawlies. (OK I don’t listen to that…anymore…but still)

  12. man,
    that is messed up, do you think you got broke in through a file sharing program, i stopped using those because not only is it not right, though i like the remade music vids done to video games, but i kept getting trojans and stuff like that.
    maybe you could use an npassword program or maybe take off your airport for a while. sounds to me you were going to be used as a file server or something like that i think maybe reformatting would be a good idea, though it is a pain. maybe when you go online, use an ipspoofer to hide your system.
    bottom line is that we need better encryption, i figured i was anobody also until i started getting trojans isnt there a way to spoof a drive, you know so when someon does try to break n they cannot find the real drive. im sorry leo.
    im sorry to see john go too.

  13. Leo..
    I have an airport. wireless network for my IMAC, IBOOK, and now my PC laptop that I FINALLY got configured. By myself mind you without my geeky husband.
    The access to the internet is just dial up so that I can use my IBOOK while on the vent.
    When I set up the airport I did have a password, am I still in danger of getting hacked? This wireless is new to me..
    thought I would ask.
    sorry to here about your computer troubles, as if you werent busy enough.

  14. Leo
    Silicon spin has been cancelled. Could you comment as to why? Was he being to harsh on an advertisers company?
    Your last thoughts that I could find were:
    “Oops. I forgot to mention. I’m filling in for Dvorak on Silicon Spin Thursday and Friday. I did the first one today at 3p Eastern. It will rerun at 2:30a, 7a, and 10:30a Eastern. And I’ll be back with the Friday roundtable at 3p Pacific tomorrow.
    Spin is fun – I’d been pitching a McLaughlin Group style roundtable since my days with c|net – but Dvorak’s job is safe!”

  15. Yeah, whats up with them cancelling Silicon Spin all of a sudden?
    TSS better not be next..

  16. Ya know? It’s unfortunate that Leo put this site up for people to get together and “dingle licker” has to come along and ruin it. Pretty soon, Leo will have to shut off the “comments” ala just so he can keep some kind of control.

  17. I have a Mac so now I’ll be on the lookout for modifications to my files.
    Thanks Leo!

  18. Leo,
    Are you keeping up with you updates on OS-X? There were a few OpenSSH flaws since November and it appears to be finally fixed. Also, make sure that there is not anything open in inetd.conf and shut off sunrpc tcp/udp 111. Use netstat -an to see if you have anything open other than the ports you required. That is a common port of attack by *nix hackers. You may want to see if you can use 802.11a because it provides 128 bit WEP security as opposed to 48 bit WEP security in 802.11b. Plus, there was a huge security flaw in WEP 48 bit security that was addressed in 802.11a. Make sure to continuously run checkmate and install maybe aide and snort. Snort is an effective non-solid state free IDS and aide is like tripwire but for free. I would most definitely wipe my hard drive and start over. Also, change files around from the normal. If a cracker (black hat) expects to find a file in its place and its not there, it may cause them to stop trying to crack or at least it will be harder for them to cover their tracks in your auditing system. Make sure to audit your /var/log/ipfwlogs or tcpdump them. Also, place a log statement on your outgoing packets like I have done on my routers. I check them and where the packets are going by using nslookup. If you download stuff from the Internet or borrow someone’s software, they may have been compromised and have a trojan on the disk or download file.
    Security is about following policies, keeping up to date in patches and vulnerabilities, monitoring and auditing your system, and being paranoid about everything.

  19. Leo and all,
    Another thing you can do, is run VPN or an IPsec tunnel through the 802.11b wi-fi. I would either try 0S-X FreeBSD IPsec or see if there is a Mac VPN product. This way, everything is encrypted by 3DES and authenticated by MD5. If someone tampers with the VPN or IPsec session, it will probably destabalize the tunnel and the tunnel will drop. Hence, no more connectivity between hosts/server until the tunnel is rebuilt.

  20. A good firewall denies unpermitted traffic in both directions. In fact, the only firewall i know of that doesn’t is the lame Windows XP firewall.

  21. Incidentally, since some people seem to be unclear on this. It was one of my personal systems that was hacked, not the server that hosts this site or the Leoville message boards. Those servers run on completely different systems.

  22. Message for Dick Slinger,
    If you have Cisco Routers, you can activate IP CEF and CAR and that will in theory protect you from any DOS attack including smurf. There is a way to do with *nix machines too but I have not looked it up. This box by John Drapper or Captain Crunch can supposely do that …

  23. Let me get this straight, Doug. You posted comments on the message board and now you are going to sue? Makes no sense to me…….

  24. Doug,
    It is time that you put it all behind you. By the looks of it, you were defamatory to others, so our mayor banned you, since you were the problem.

  25. I installed windows 2000 over windows 98. I chose to do a clean install and to convert the hard drive to NTFS. Everything seemed to go really well, but now I am having a few issues. The first issue is with the wireless PCI network card. I keep on getting a error code 10 every time that I try to install the driver I get a message saying: Windows is not able to start the device. I looked on the Microsoft website and it said that I needed to find an updated digitally signed driver, but SOHO WARE does not have one on there website, so I am in a dilemma until I call tech support. My second issue is that I still see some file’s left over from windows 98. I thought that they would have all been gone. And when I start the computer, I have 2 choices one to start windows 2000, and another to load windows. When I choose to load windows all I get is a blinking curser and nothing loads. I do not think I got a separate partition, because I only have one hard drive letter C: Is there a way to completely get rid of all the vestiges of 98, and to fix it so it automatically loads into windows 2000?

  26. I’m so sorry to hear that Leo….Recently three of my AOL accounts got hacked into, how? I don’t know. It took me forever to get them back, I called AOL and had to change all my passwords. They told me that someone got into there not knowing my password and wrote over it, Aol couldn’t even figure out what the peron changed it to. But I have my screennames back. So let this be a warning to you AOL users. Someone can get in and overwrite your password without knowing it.

  27. Dear Mr. Leo!!,
    Hello Leo, I really enjoy catching The Screensavers all the time. When I get sad, I turn on the TV and watch you guys and you cheer me up!. I am in 8th grade, and we are big Leo fans out here in upstate New York!, we always watch Techtv and watch The Screensavers. I always ask my friend Chris, “did you catch The Screensavers yesterday??” I ask him, he replys “Sure did!”. Yep we are big fans of the show, and just a few weeks ago I did a art project that we had to do with 3D letters. I did “Linux Geek” I think I am going to submit it as a fridge pic! You guys will like it!
    “Your loyal Techtv viewer!”

  28. Hey Leo. Love your site. What is going on with Kate Botello? Why is she leaving Tech TV? I know that you’re good friends with her and thought that maybe you could shed some light on the situation for us. Thanks.

  29. Y’know it’s funny..
    The previous post was directed at Leo personally, but for the most part, I thought the comments summed up the author pretty well..
    I gotta hand it to him though.. he did make me laugh. Now Leo, as the big fish in this here pond, you certainly have my support in giving him the boot. Bend over, Dickie boy..

  30. Did you save a copy of the files you believed were comprimised so you could do a diff between those files and the known good copies?

  31. Leo,
    You just asked for this. Remember when you had a “hacker” come on your show?
    Showing people how to “hack” is not a smart idea, especially on unix based systems. M$ is fair game, but hacking unix is a fine art that should be limited, and reservered for certain people.

  32. I suspected that your WIFI was the most likely entrance point for your hypothetical hacker. I’m sure you changed the default passwords on your NAT router machines…? Mac OS X is a new beast and is going to be vulnerable to unix / linux weaknesses. No wonder you are going to do the hack-in program! LOL I think a good program would be how linux guru’s set their systems up so they are as inpenetratable as possible. I’ve had several claim that they have done so.
    My Mac was broken into when on cable. It was running a software firewall but I believe it was penetrated since I was on the DMZ side of the NAT gateway. I’m now on DSL (no NAT gateway or firewall) with a changing IP but still vulnerable because I run a server. This system with Mac OS 8.6 is totally ripped. Things crash often lately. My job has just been backing up for last 2 months. I need to reformat everything and fresh install, but what a huge pain it is.
    Since I know it is “normal’ to get broken into, I try to keep sensitive information on an encrypted scsi volume that is not mounted until I need it. This is the only place that is very hacker proof…but once it’s mounted and I am connected to the net (PPPoE), it’s not safe. Wish there was a simple answer….but that is why I watch TSS.
    I tried some software once that actually showed what connections into my system were open. The first thing I noticed was that my dial-up ISP always had some connection open…no idea why but it still worked fine when I killed that connection. What software does that?

  33. Its extremely sad that A: Leo posts about a comprimise of a machine, and others take advantage of the thread to harass Mr. Laporte over mundane issues.
    As for hitting the box behind the firewalls etc… 802.11 is quite insecure and as convienent as it is, it really needs more work before going to the masses. BUT being OSX is *NIX based you should really use strict ACL’s allowing only trusted boxes in (,, etc..) So even if he can stroll by with laptop and a 802.11 NIC, chances are his IP wont match your trusted hosts. SSHd has had quite a nasty run, expecially OpenSSH and many people seemed to have missed the need to upgrade and leave open for remote root exploits. I would have to assume that was the weak point in the laptop itself. Best suggestion use hosts.allow and start plugging in the IP’s you plan to jump on your lappy from remotely.

  34. Just wondering, have you talked to Brett or Megan about if they’ve seen similar signs on their own Macs around the TechTV studios?

  35. That is just awful. Guess it can happen no matter what. Hopefully it was all caught early. I am off to change all my passwords now!

  36. I hate to be a jerk, Leo, but when you say:
    “I did run Apache and Webstar web servers for a few weeks – maybe he exploited a hole in one of those to get into the system.”
    why are you assuming it’s a he?

    I heard Audiofile is being cancelled, I’m really bummed about that. Besides TSS it’s the only TechTV show I watch “religiously”.

  37. Just for your information little Dickie boy, my mother passed away four years ago, may God rest her soul, so you can spare us any more enlightening “yo Mama” remarks.
    The only thing more remarkable than your vile, depraved behavior is that Leo has allowed such offensive and contemptible entries to remain on his blog for so long. Do yourself a favor and seek some professional help.

Comments are closed.