Intruder Alert

One of the keys to computer security is monitoring key system files to see if they've been secretly modified. (See this CERT note for more information.) To that end I run a nifty little utility from Brian Hill called Checkmate on my Macs. Last night Checkmate found traces of an intruder on my iBook. Three files had recently been changed: sshd, slogin, and du. The first two are for secure login to my system, the last is a unix tool called disk usage, used to check how full the drives are. An innocuous (and little used) system file like du is a good place for a hacker to store a trojan horse program. Modifying sshd and slogin is a well-known way to capture the root password (see Mike Chandler's post on the message boards). I hadn't changed either program recently, nor had any system updates. The modified files were clear evidence of an intrusion on my system.

There was no evidence of tampering in the system logs (no surprise there - any hacker worth his salt would have fixed that), but I quickly changed all my passwords, replaced the effected system files, and checked all my security settings.

What surprises me is that I have always considered this system to be basically secure. I run the built-in FreeBSD firewall, ipfw, on it all the time. I used Brian Hill's Brickhouse to configure it and I'm pretty sure I tightened everything down. At home it's sitting behind two NAT servers, my Linksys router and an Airport which should make the system hard to see on the net. At work it's on the firewall protected corporate net (no idea how secure THAT is however - I know of at least one successful hack on it - but I have to think it's at least as secure as my own system). My iBook passes the ShieldsUp test with flying colors (all green). nmap shows all ports closed.

The weak link is the Airport wireless network. I can only think that someone got in through the wireless LAN either at home or, more likely, at the studio. 802.11b security is notoriously weak. But I use Airport everywhere and I'm just not willing to stop. (OK I'm a wireless LAN addict - I admit it.)

I probably should reformat the hard drive and reinstall everything from scratch, but it's just too much work. There's nothing on here that's particularly private, and the firewall prevents the system from being used in a DDOS attack. So I'm just going to continue as before, making regular backups of my data, and keeping an eye out for other suspicious activity.

I guess the moral of all this is that, even with reasonable precautions, any system is hackable. I don't think the average user can be expected to do more than run a firewall and cross his fingers. And that means that hackers will continue to have free run of the net. We'll just have to learn to live with them. Like cockroaches. But it's good to remember that they're out there, and that there are some things we all need to do to keep them at least a little in check.