Mac OS X Server Break-in: Vulnerability or User Error?
Tom Yager at InfoWorld is reporting about a break-in on an Xserve, which raises several questions. Among the symptoms of this break-in were the following:
- Kerberos authentication was disabled, making the system extremely slow to respond to LAN-based secure shell (ssh) initiation requests. Screen sharing sessions would not connect at all. However, Server Admin was fully functional
- All e-mail was down
- A launch script for Communigate Pro 5.2.x had been placed in /System/Library/StartupItems, causing Postfix and Cyrus to abort on launch after logging that SMTP, IMAP and POP ports were already opened. All of these services answered with Communigate Pro’s greeting rather than Postfix or Cyrus
- The StartupItems launch script was removed after Communigate Pro was successfully launched
- Communigate Pro’s HTTP administration ports were not open at either their default TCP ports or any other listening ports
- Communigate Pro reinstalled itself when the contents of its configuration directory were deleted
- Several inbound messages from Eastern European senders were addressed to the recipient pw@mydomain.com. This account did not exist in Postfix prior to the attack
It looks as though someone hacked the Xserve to send out spam, but it’s not clear why they would have installed Communigate Pro, a commercial mail server. (Perhaps it was easy to get access to the Xserve, but not to its own internal mail server.) What is most disturbing is that the hacker managed to change the administrator’s password, which is something that has not been seen before in remote exploits on Mac OS X.
It’s not clear if this intrusion was the result of some sort of user error or mistaken configuration. We have no more information on this suspected vulnerability, but anyone running Mac OS X Server should check to make sure they don’t have the same problems.
