remote login Trojan, Trying to make a program that will select remote login. Options

[lokin]

******** EDIT Begins **********

6/25/08 EDIT *IMPORTANT* For Visitors:

The following links to our knowledge base contain further information on this subject, including Solutions, Discovery, Templates, and more:
ARDAgent exploit & Com.apple.SystemLoginItems.plist Exploit

- Spratt_

******** EDIT Complete **********


So the deal is I'm trying to write a script that will locate preferences--->sharing--->and then select remote login if there is write privileges.
This will be my first attempt at making something that does this so please give me a break.
what language should I use? perl?
what compiler? Xcode?
The program also has to run in the background or imbed it in a file or document of some kind.
Once again I have no experience here so please help all you can.
p.s. please don't write the code and say heres an example, I'll end up copying most of it.

[callmenames]

Stop trying to script the graphic interface (it's just a pretty picture that lets you change settings in a preference file), figure out in which files it changes the settings, have your script check whether you have write access to the files and modify the files with your script.

[lokin]

And I have.
I've forgotten all about preference panes and whatever but as far as I know, so far, is that all preferences are still located in a file called Preferences. No?
And then sharing would be located in that file. And if not located there, there would be something like C++ pointers or shortcuts.
Although I now now that this is not the case.
and don't forget

Once again I have no experience here so please help all you can.

[callmenames]

Ok, step one is to figure out which file(s) are changed when you click the box in System Preferences to enable remote login. There are a variety of ways to see which files are accessed. From the GUI, try fseventer. From the command line, fseventer, fs_usage, and potentially ps -axww (if filenames are passed to a command which is not too likely in this case) and lsof (if you are quick.) All of the options will work best if you quit everything, have as little running as possible. Get ready to make the change in the GUI, start whatever method you wish to try to see what files are accessed, click in the GUI to make the change (and APPLY if necessary) then quickly switch back to your tool of choice to stop it (unless you are using ps / lsof which don't run continuously.)

[callmenames]

For instance... restart. Open Terminal and type...

CODE

sudo -s

Password:
PowerBook:~ root#

Your password won't be displayed as you type which is normal, just type it in and press return.

Then open System Preferences, go to sharing. Disable File Sharing if it is on.

Switch back to Terminal. Make the window wide (height does not matter, width does.) Position the Terminal window and the System Preferences window so that you can see the "Start" button to enable File Sharing. In Terminal, type the command 'fs_usage', press return and quickly click the Start button in System Preferences (click once to bring the window forward, click again to start.) Quickly switch back to the Terminal window and type command-period or control-c to cancel fs_usage.

CODE

fs_usage

I ran this on a Tiger 10.4.11 PPC system...

11:18:15.213 lstat private/etc/hostconfig~ 0.000259 W writeconfig
11:18:15.213 statfs private/etc/hostconfig~ 0.000032 writeconfig
11:18:15.213 lstat private/etc/hostconfig~ 0.000018 writeconfig
11:18:15.213 unlink private/etc/hostconfig~ 0.000524 writeconfig
11:18:15.214 lstat [ 2] private/etc/hostconfig~ 0.000094 writeconfig
11:18:15.214 getattrlist private/etc 0.000047 writeconfig
11:18:15.214 getattrlist private/etc 0.000023 writeconfig
11:18:15.214 getattrlist /.vol/234881038/3118/hostconfig 0.000095 writeconfig
11:18:15.214 getattrlist /.vol/234881038/1740430 0.000031 writeconfig
11:18:15.214 getattrlist [ 2] /.vol/234881038/3118/hostconfig~ 0.000050 writeconfig
11:18:15.215 rename /.vol/234881038/3118/hostconfig 0.000529 writeconfig
11:18:15.215 lstat [ 2] private/etc/hostconfig 0.000101 writeconfig
11:18:15.215 stat [ 2] private/etc/hostconfig 0.000048 writeconfig
11:18:15.216 open F=5 private/etc/.dat2253.002 0.000469 writeconfig
11:18:15.216 write F=5 B=0xe3 0.000167 writeconfig
11:18:15.217 WrData[async] D=0x0754e160 B=0x1000 /dev/disk1s10 0.000449 W writeconfig
11:18:15.220 fsync F=5 0.003592 W writeconfig
11:18:15.220 close F=5 0.000064 writeconfig
11:18:15.221 rename private/etc/.dat2253.002 0.000610 writeconfig
11:18:15.221 chmod private/etc/hostconfig 0.000212 writeconfig

The modified file is /etc/hostconfig, here is mine with sharing on.

CODE

cat /etc/hostconfig

AFPSERVER=-YES-
AUTHSERVER=-NO-
AUTOMOUNT=-YES-
CUPS=-AUTOMATIC-
NFSLOCKS=-AUTOMATIC-
NISDOMAIN=-NO-
TIMESYNC=-YES-
QTSSERVER=-NO-
WEBSERVER=-NO-
SMBSERVER=-NO-
SNMPSERVER=-NO-
SPOTLIGHT=-YES-
CRASHREPORTER=-YES-
ARDAGENT=-NO-

... and off

AFPSERVER=-NO-
AUTHSERVER=-NO-
AUTOMOUNT=-YES-
CUPS=-AUTOMATIC-
NFSLOCKS=-AUTOMATIC-
NISDOMAIN=-NO-
TIMESYNC=-YES-
QTSSERVER=-NO-
WEBSERVER=-NO-
SMBSERVER=-NO-
SNMPSERVER=-NO-
SPOTLIGHT=-YES-
CRASHREPORTER=-YES-
ARDAGENT=-NO-

This post has been edited by callmenames: May 19 2008, 01:36 PM

[lokin]

Ok, well using fseventer I found that just clicking the remote login I get system-->library-->launchDaemons-->ssh.plist
and private-->var-->log-->secure.log and system.log.
When I select it and deselect it a couple times the ssh.plist changes and gets uses next to it so that has to be what I need to change.
The problem I'm having though is that i can't find these items in my terminal.

[callmenames]

CODE

ls -alo /System/Library/LaunchDaemons/ssh.plist

-rw-r--r-- 1 root wheel - 858 May 14 11:06 /System/Library/LaunchDaemons/ssh.plist

One way to change the file from the command line would be like so...

CODE

launchctl load -w /System/Library/LaunchDaemons/ssh.plist

And to see the contents of that file...

CODE

cat /System/Library/LaunchDaemons/ssh.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>com.openssh.sshd</string>
<key>Program</key>
<string>/usr/libexec/sshd-keygen-wrapper</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
</array>
<key>SessionCreate</key>
<true/>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
<key>SockServiceName</key>
<string>ssh</string>
</dict>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
</dict>
</plist>

This post has been edited by callmenames: May 19 2008, 01:56 PM

[lokin]

Ok. I get it.
The next problem is that that command has to be run root.
So is there any other way to do this other than make a box popup that says its a software update or something and they need to type there password. Once typed (and entered) it will store it as a plain text document and then after

CODE

sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

it will enter the contents of the password file?
Do I at least have the right idea?

[callmenames]

There are ways to have things run under the root account without any interaction from a user at all. They vary from one version of OS X to another. I would suggest becoming familiar with the OS X startup process. One method is used in an example here.

[lokin]

So, If I add launchctl load -w /System/Library/LaunchDaemons/ssh.plist to an executable file in startup it will run without needing a password and then to make it so it doesn't give and error every startup there should also be something saying that if its already loaded the don't load launchctl load -w /System/Library/LaunchDaemons/ssh.plist.
...yes?