FTP/Remote Access Hacking?!!!

chemistry_geek

chemistry_geek

Registered
I had FTP/Remote Access turned on in Mac OS X so I can transfer files to and from school and I noticed last week sometime that my computer got really sluggish, I heard the hard drive crunching away. I launched "LoadInDock" and was surprised to see my system at 100%. Then I launched "NetStatInDock" and saw a metric a$$-load of packets going out with a few coming in. I went to the System Preferences and turned off FTP Access and Remote Access, then disconnected and the problem went away. I suspected someone was attempting to do something. I just spoke with one of the Mac OS X experts here on this forum on AOL IM and he said to check my FTP log file. It is located here:

/var/log/

and is called ftp.log. I just dropped it on the TextEdit icon and found that from December 9 2001 to January 8, 2002, four attempted logins occured. Here's the proof:

Dec 9 17:35:54 localhost ftpd[288]: connection from astrasbourg-201-1-2-235.abo.wanadoo.fr
Dec 9 17:35:54 localhost ftpd[288]: ANONYMOUS FTP LOGIN REFUSED FROM astrasbourg-201-1-2-235.abo.wanadoo.fr

Dec 24 10:30:06 localhost ftpd[275]: connection from kingston-hse-ppp3555519.sympatico.ca
Dec 24 10:30:06 localhost ftpd[275]: ANONYMOUS FTP LOGIN REFUSED FROM kingston-hse-ppp3555519.sympatico.ca

Jan 4 23:58:01 localhost ftpd[401]: FTP LOGIN FAILED FROM 213-193-176-120.adsl.easynet.be, anonymous@f
Jan 5 17:59:23 localhost ftpd[272]: connection from 0x50c40006.abnxx3.adsl-dhcp.tele.dk

Jan 8 23:26:04 localhost ftpd[302]: connection from anice-103-1-4-184.abo.wanadoo.fr
Jan 8 23:26:04 localhost ftpd[302]: ANONYMOUS FTP LOGIN REFUSED FROM anice-103-1-4-184.abo.wanadoo.fr

I have no idea where these are coming from, but if anyone here wants to take a stab at these guys, please do.

What can I do about this? Anything? Should I report this to my internet service provider? Can I get these Ba$tard$ back? Man am I pissed.
 
I don't think there's much you can do. You had the FTP service open to the outside world, and someone tried to get in. That's the way it works, I'm afraid. Just be glad that the attempts all failed. It would have been much worse if they'd dropped large files on your system and filled up the disk (*nix systems don't take real kindly to running out of swap space).

I see this all the time in my logs as well on my Linux router with folks trying to telnet and ssh in. And, if you can believe it, I still get the more than occasional hit from Nimda on my Apache box behind the firewall.

The only way to completely avoid this sort of thing is to make sure that you have no open ports to the internet, which is probably not very practical.
 
kenny:

How do I turn off the ports so no one can hack into my computer? I don't know that much about UNIX and a friend was helping me through pinging and port scanning the troglodyte who was doing the hacking.

I have the hacking party's IP address: 193.251.95.235 via ping in the Terminal. I found the following open ports on their computer: 139 and 1033 using Apple's Network Utility program. My friend told me it was a Winbloz computer attempting to hack-in. He said the open port at 139 identified it as Windows. I would like to scare these guys a little, you know, "F" with them a little bit.
 
OK, I took all my information from my computer to the UNIX head in the chemistry department. He said that someone was indeed attempting to gain access to my computer and suggested that I immediately file a report with the local police. He said nothing will be done about my specific case other than that it will go on file. If more attempts are made, this will build a case and history that eventually will lead to a focus on internet crimes by the FBI and other government agencies. He said all crimes are tallied and analyzed statistically that justify allocating more funds and resources for specific types of crimes. He also said more or less, "welcome to the wonder world of UNIX". He has made two police reports recently with the campus police with hackers trying gain access to the department servers.
 
You're kidding, right? Either there's more to this story than what you've conveyed here (4 unsuccessful login attempts), or you're having a very (inappropriately) extreme reaction to this.

It's very simple, really. If you don't wan't people attempting to access your machine, turn off the server services. To see what ports you have open, you can issue the following command (within a terminal):

netstat -a |grep -i listen

This will show you ports that are open and listening, and may give you some clue as to what servers are running. Shut down file sharing, remote logins, ftp server, web server, etc. It's unusual to see the output have nothing in netstat, but I seem to recall that on a vanilla system, X actually doesn't have anything open by default.

Also, you could invest in a hardware-based firewall (I'm assuming that you're on some type of broadband) like the Linksys box. That will prevent (again, by default) all unsolicited inbound traffic.

But seriously, four unsuccessful attempts to access FTP is not hacking, especially over a month's time. I see more attempts than that in my firewall logs in a day. As long as they're being kept out, there's not much to worry about.

If there's more evidence, then, depending on what it is, there could be cause for concern, but I think it's way too early to start calling the police. If you care to share what's going on besides the FTP, I'm sure we can think of something....
 
kenny:

Actually, there is nothing else to add to the story. I'm not doing anything illegal. I don't even have broadband access at home, I have a 56K dialup connection. I have taken my computer to the university to get some large files with the ethernet connection there, but at home, it's slow as hell. I didn't know it was common for people to go "knocking" on firewalls. I probably am over reacting, I just never thought I'd see the day someone would try to pry into my computer. The only thing of value on it right now is my masters thesis which I'm beginning to write. I would freakout if I lost that due to some hacker. Since I reviewed the logs, all sharing has been turned off in the Apple System Preferences and will only be turned on temporarily when needed.

I ran the "netstat -a |grep -i listen" command you mentioned and the following results came back:

[localhost:~] alchemist% netstat -a |grep -i listen
tcp 0 0 localhost.atl.mi.1033 *.* LISTEN
[localhost:~] alchemist%

Thank you for the netstat command and your help. It was very much appreciated. Well, at least you probably got a good laugh from a UNIX newbie running around like his head was cut off.
 
No, I wasn't laughing at all about this. I'd just hate to see you get twisted up in knots about something that's really no big deal, especially based on some bad advice.

First, the guy that's the head of Unix in the chem. dept. has a responsibilty to the school to ensure the security of the servers in his charge. Because they're connected all the time, they're of course subject to the law of averages; the longer they're connected full-time, the more of a chance someone has to break into them. If he's done his job, though, breakin attempts are just that - attempts. While he's correct in suggesting that the FBI, etc. will eventually investigate multiple attempts, they don't usually get involved in cases where an individual has been hacked (much less if the attempt was unsuccessful), especially if the system was known to have ports to an insecure protocol open.

Second, your friend that indicated that your "attacker" was on Windows may or may not have been correct. The same port combination can occur on MacOSX with Samba (or possibly Dave) installed. The presence of an open port 139 is not a reliable indication of OS type. A better method is TCP fingerprinting, such as what nmap does. But nmap is a topic for another thread. :)

Finally, port 1033 on MacOSX is owned by the loginwindow process (according to lsof) - a perfectly legitimate and safe port to have open. By default (and I don't know that there's any way to change this, which is fine), it only allows connections from the local machine. Attempts to connect from another box are refused.

The excessive net traffic you saw could have simply been a ping flood; some individuals find it amusing to repeatedly ping machines, often with oddly formed packets to disrupt a person's network connectivity. Its silly and childish, but not especially malicious or harmful. Being on the slow end of a 56K connection makes this annoying, no doubt, but it does limit the impact that they can have on your machine.

As I said before, you did the right thing in shutting down the service and disconnecting when you suspected something wasn't right. It's awfully hard to break into a machine that's not connected... :)
 
Originally posted by chemistry_geek


Dec 9 17:35:54 localhost ftpd[288]: connection from astrasbourg-201-1-2-235.abo.wanadoo.fr
Dec 9 17:35:54 localhost ftpd[288]: ANONYMOUS FTP LOGIN REFUSED FROM astrasbourg-201-1-2-235.abo.wanadoo.fr
Click to expand...

Report this to abuse@wanadoo.fr along with the log entry.

Dec 24 10:30:06 localhost ftpd[275]: connection from kingston-hse-ppp3555519.sympatico.ca
Dec 24 10:30:06 localhost ftpd[275]: ANONYMOUS FTP LOGIN REFUSED FROM kingston-hse-ppp3555519.sympatico.ca
Click to expand...

Person is from Kingston Ontario Canada on a PPP dialup account
Report this to abuse@sympatico.ca along with the log entry

Jan 4 23:58:01 localhost ftpd[401]: FTP LOGIN FAILED FROM 213-193-176-120.adsl.easynet.be, anonymous@f
Jan 5 17:59:23 localhost ftpd[272]: connection from 0x50c40006.abnxx3.adsl-dhcp.tele.dk
Click to expand...

Person is using an ADSL account in Belgium.
Report this to abuse@easynet.de along with the log entry.

Jan 8 23:26:04 localhost ftpd[302]: connection from anice-103-1-4-184.abo.wanadoo.fr
Jan 8 23:26:04 localhost ftpd[302]: ANONYMOUS FTP LOGIN REFUSED FROM anice-103-1-4-184.abo.wanadoo.fr
Click to expand...
[/B]
Click to expand...

Report this to abuse@wanadoo.fr along with the log entry

Some ISPs don't seem to care what their users do, but you might get a response from some of them.
 
So, you would report single failed attempts to connect via a port you had open on the internet??? Sorry, but that doesn't even begin to qualify as abuse. Curiosity perhaps, but not abuse. These are FAILED attempts; no harm done. If I reported every failed connection attempt I see in my firewall logs, I wouldn't have much time to do anything else.

Now, if there'd been many multiple connection attempts (particularly if they'd been non-anonymous), that might be a different story. But as it stands, I think it's a "move along, nothing to see here"-type of non-event.
 
Just a side note to all this.

If you are not running a FTP server for out users to access, but just for your own personal access.

Change your FTP port to something else so that only you know the port number to access.

That way if something like this happens again, you will know that someone was sniffing your ports out and are trying to hack in.

Base on what is shown, it could be just an error in the other user's ip address entry. (I know I've done it a couple of times).

I haven't changed my port numbers in OS X yet, but I'm sure it's not brain surgery (It's easy in WindowsNT at least so OS X should be a snap.:) )

Anyways, just my 2 cents.
 
what about if you have several "connection from ...", but
nothing following, such as "LOGIN REFUSED..." or
"LOGIN FROM..."?

I thought it might be someone coming to the door, and
not quite knocking... But I tried it, and the logs reported
it as anonymous.

anyone know of any good URLs for the small time
home unix security manuals, or tips and tricks?...

i've figured out how to reroute traffic through my router
to my box, but how do you change the port for FTP?
I know how with HTTP...

...Ah, NetInfo Manager > / services / ftp, then auth.,
double click the port#, and change it...

iluvosx
 
You must log in or register to reply here.
Back
Top