Jump to content


Photo

remote login Trojan


  • Please log in to reply
683 replies to this topic

#1 lokin

lokin
  • Members
  • 299 posts

Posted 18 May 2008 - 04:44 PM

******** EDIT Begins **********

6/25/08 EDIT *IMPORTANT* For Visitors:
QUOTE
The following links to our knowledge base contain further information on this subject, including Solutions, Discovery, Templates, and more:
ARDAgent exploit & Com.apple.SystemLoginItems.plist Exploit

- Spratt_

******** EDIT Complete **********


So the deal is I'm trying to write a script that will locate preferences--->sharing--->and then select remote login if there is write privileges.
This will be my first attempt at making something that does this so please give me a break.
what language should I use? perl?
what compiler? Xcode?
The program also has to run in the background or imbed it in a file or document of some kind.
Once again I have no experience here so please help all you can.
p.s. please don't write the code and say heres an example, I'll end up copying most of it.
-Lokin-

#2 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 18 May 2008 - 05:08 PM

QUOTE(callmenames @ May 17 2008, 10:06 AM) <{POST_SNAPBACK}>
Stop trying to script the graphic interface (it's just a pretty picture that lets you change settings in a preference file), figure out in which files it changes the settings, have your script check whether you have write access to the files and modify the files with your script.




#3 lokin

lokin
  • Members
  • 299 posts

Posted 18 May 2008 - 09:54 PM

And I have.
I've forgotten all about preference panes and whatever but as far as I know, so far, is that all preferences are still located in a file called Preferences. No?
And then sharing would be located in that file. And if not located there, there would be something like C++ pointers or shortcuts.
Although I now now that this is not the case.
and don't forget
QUOTE
Once again I have no experience here so please help all you can.

-Lokin-

#4 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 18 May 2008 - 10:24 PM

Ok, step one is to figure out which file(s) are changed when you click the box in System Preferences to enable remote login. There are a variety of ways to see which files are accessed. From the GUI, try fseventer. From the command line, fseventer, fs_usage, and potentially ps -axww (if filenames are passed to a command which is not too likely in this case) and lsof (if you are quick.) All of the options will work best if you quit everything, have as little running as possible. Get ready to make the change in the GUI, start whatever method you wish to try to see what files are accessed, click in the GUI to make the change (and APPLY if necessary) then quickly switch back to your tool of choice to stop it (unless you are using ps / lsof which don't run continuously.)

#5 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 19 May 2008 - 01:31 PM

For instance... restart. Open Terminal and type...
CODE
sudo -s

QUOTE
Password:
PowerBook:~ root#

Your password won't be displayed as you type which is normal, just type it in and press return.

Then open System Preferences, go to sharing. Disable File Sharing if it is on.

Switch back to Terminal. Make the window wide (height does not matter, width does.) Position the Terminal window and the System Preferences window so that you can see the "Start" button to enable File Sharing. In Terminal, type the command 'fs_usage', press return and quickly click the Start button in System Preferences (click once to bring the window forward, click again to start.) Quickly switch back to the Terminal window and type command-period or control-c to cancel fs_usage.
CODE
fs_usage

I ran this on a Tiger 10.4.11 PPC system...
QUOTE
11:18:15.213 lstat private/etc/hostconfig~ 0.000259 W writeconfig
11:18:15.213 statfs private/etc/hostconfig~ 0.000032 writeconfig
11:18:15.213 lstat private/etc/hostconfig~ 0.000018 writeconfig
11:18:15.213 unlink private/etc/hostconfig~ 0.000524 writeconfig
11:18:15.214 lstat [ 2] private/etc/hostconfig~ 0.000094 writeconfig
11:18:15.214 getattrlist private/etc 0.000047 writeconfig
11:18:15.214 getattrlist private/etc 0.000023 writeconfig
11:18:15.214 getattrlist /.vol/234881038/3118/hostconfig 0.000095 writeconfig
11:18:15.214 getattrlist /.vol/234881038/1740430 0.000031 writeconfig
11:18:15.214 getattrlist [ 2] /.vol/234881038/3118/hostconfig~ 0.000050 writeconfig
11:18:15.215 rename /.vol/234881038/3118/hostconfig 0.000529 writeconfig
11:18:15.215 lstat [ 2] private/etc/hostconfig 0.000101 writeconfig
11:18:15.215 stat [ 2] private/etc/hostconfig 0.000048 writeconfig
11:18:15.216 open F=5 private/etc/.dat2253.002 0.000469 writeconfig
11:18:15.216 write F=5 B=0xe3 0.000167 writeconfig
11:18:15.217 WrData[async] D=0x0754e160 B=0x1000 /dev/disk1s10 0.000449 W writeconfig
11:18:15.220 fsync F=5 0.003592 W writeconfig
11:18:15.220 close F=5 0.000064 writeconfig
11:18:15.221 rename private/etc/.dat2253.002 0.000610 writeconfig
11:18:15.221 chmod private/etc/hostconfig 0.000212 writeconfig


The modified file is /etc/hostconfig, here is mine with sharing on.
CODE
cat /etc/hostconfig

QUOTE
AFPSERVER=-YES-
AUTHSERVER=-NO-
AUTOMOUNT=-YES-
CUPS=-AUTOMATIC-
NFSLOCKS=-AUTOMATIC-
NISDOMAIN=-NO-
TIMESYNC=-YES-
QTSSERVER=-NO-
WEBSERVER=-NO-
SMBSERVER=-NO-
SNMPSERVER=-NO-
SPOTLIGHT=-YES-
CRASHREPORTER=-YES-
ARDAGENT=-NO-


... and off
QUOTE
AFPSERVER=-NO-
AUTHSERVER=-NO-
AUTOMOUNT=-YES-
CUPS=-AUTOMATIC-
NFSLOCKS=-AUTOMATIC-
NISDOMAIN=-NO-
TIMESYNC=-YES-
QTSSERVER=-NO-
WEBSERVER=-NO-
SMBSERVER=-NO-
SNMPSERVER=-NO-
SPOTLIGHT=-YES-
CRASHREPORTER=-YES-
ARDAGENT=-NO-

Edited by callmenames, 19 May 2008 - 01:36 PM.


#6 lokin

lokin
  • Members
  • 299 posts

Posted 19 May 2008 - 01:48 PM

Ok, well using fseventer I found that just clicking the remote login I get system-->library-->launchDaemons-->ssh.plist
and private-->var-->log-->secure.log and system.log.
When I select it and deselect it a couple times the ssh.plist changes and gets uses next to it so that has to be what I need to change.
The problem I'm having though is that i can't find these items in my terminal.
-Lokin-

#7 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 19 May 2008 - 01:55 PM

CODE
ls -alo /System/Library/LaunchDaemons/ssh.plist

QUOTE
-rw-r--r-- 1 root wheel - 858 May 14 11:06 /System/Library/LaunchDaemons/ssh.plist


One way to change the file from the command line would be like so...
CODE
launchctl load -w /System/Library/LaunchDaemons/ssh.plist


And to see the contents of that file...
CODE
cat /System/Library/LaunchDaemons/ssh.plist

QUOTE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com...yList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>com.openssh.sshd</string>
<key>Program</key>
<string>/usr/libexec/sshd-keygen-wrapper</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
</array>
<key>SessionCreate</key>
<true/>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
<key>SockServiceName</key>
<string>ssh</string>
</dict>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
</dict>
</plist>

Edited by callmenames, 19 May 2008 - 01:56 PM.


#8 lokin

lokin
  • Members
  • 299 posts

Posted 20 May 2008 - 02:04 AM

Ok. I get it.
The next problem is that that command has to be run root.
So is there any other way to do this other than make a box popup that says its a software update or something and they need to type there password. Once typed (and entered) it will store it as a plain text document and then after
CODE
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

it will enter the contents of the password file?
Do I at least have the right idea?
-Lokin-

#9 callmenames

callmenames
  • Members
  • 1,426 posts

Posted 20 May 2008 - 12:29 PM

There are ways to have things run under the root account without any interaction from a user at all. They vary from one version of OS X to another. I would suggest becoming familiar with the OS X startup process. One method is used in an example here.

#10 lokin

lokin
  • Members
  • 299 posts

Posted 20 May 2008 - 07:41 PM

So, If I add launchctl load -w /System/Library/LaunchDaemons/ssh.plist to an executable file in startup it will run without needing a password and then to make it so it doesn't give and error every startup there should also be something saying that if its already loaded the don't load launchctl load -w /System/Library/LaunchDaemons/ssh.plist.
...yes?
-Lokin-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users