0

An LDAP server on another is reporting an unusually large number of attempts to read the LDAP directory and attempting a number of users, all of which look like hacking attempts to read user/password information. These happen every minute. It reports that the originating IP is a Mac OS X 10.4 Tiger Server which is a file server on the network for iMacs.

When I run lsof -i:ldap +c 0 on the Mac server, it returns

COMMAND          PID USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
DirectoryService  60 root   11u  IPv4 0x38de228      0t0  TCP mymacserver.com:50106->myldapserver.com:ldap (ESTABLISHED)

Running ps -Aj gives

USER PID PPID PGID    SESS JOBC STAT TT     TIME COMMAND
[...]
root  60    1   60 290c7e4    0 Ss   ??  0:19.00 /usr/sbin/DirectoryService

Running cat /Library/Logs/DirectoryService/DirectoryService.server.log gives

2012-02-15 15:01:29 EST - DirectoryService 2.1 (v353.6) starting up...
2012-02-15 15:01:29 EST - Initializing TCP ...
2012-02-15 15:01:29 EST - Plugin <Configure>, Version <1.7>, processed successfully.
2012-02-15 15:01:29 EST - Plugin <NetInfo>, Version <1.7.4>, processed successfully.
2012-02-15 15:01:29 EST - Plugin <LDAPv3>, Version <1.7.4>, processed successfully.
2012-02-15 15:01:29 EST - Plugin <Search>, Version <1.7>, processed successfully.
2012-02-15 15:01:29 EST - Plugin "Active Directory", Version "1.5.8", is set to load lazily.
2012-02-15 15:01:29 EST - Plugin "AppleTalk", Version "1.3", is set to load lazily.
2012-02-15 15:01:29 EST - Plugin "Bonjour", Version "1.3", loaded successfully.
2012-02-15 15:01:29 EST - Plugin "BSD", Version "1.2.2", is set to load lazily.
2012-02-15 15:01:29 EST - Plugin "PasswordServer", Version "3.1.2", is set to load lazily.
2012-02-15 15:01:29 EST - Plugin "SLP", Version "1.3.1", is set to load lazily.
2012-02-15 15:01:29 EST - Plugin "SMB", Version "1.3", is set to load lazily.
2012-02-15 15:01:29 EST - Registered node /Configure
2012-02-15 15:01:29 EST - Registered node /Search
2012-02-15 15:01:29 EST - Plug-in Configure state is now active.
2012-02-15 15:01:29 EST - Registered node /Search/Contacts
2012-02-15 15:01:29 EST - Registered node /Search/Network
2012-02-15 15:01:29 EST - Plug-in Bonjour state is now active.
2012-02-15 15:01:29 EST - Plug-in Search state is now active.
2012-02-15 15:01:29 EST - Plug-in LDAPv3 state is now active.
2012-02-15 15:01:29 EST - Registered node /NetInfo/DefaultLocalNode
2012-02-15 15:01:29 EST - Plug-in NetInfo state is now active.
2012-02-15 15:01:32 EST - Network transition occurred.
2012-02-15 15:01:35 EST - Registered Locally Hosted Node /NetInfo/DefaultLocalNode
2012-02-15 15:01:41 EST - Network transition occurred.
2012-02-15 15:01:41 EST - Network transition occurred.
2012-02-15 15:01:41 EST - Network transition occurred.

(The time is when the server was rebooted several hours ago.) This has been going on for several days.

Is there a way to see what is calling the DirectoryService every minute?

I cannot use netstat -p, since Mac OS X 10.4 Tiger does not support the -p option.

I need to disable this malicious script, but I cannot disable the LDAP client completely, as users rely on this server for file storage and user ids.

EDIT:

I ran sudo killall -USR1 DirectoryService to enable to debug log, and it seems that memberd and lookupd are calling DirectoryService.

jack
  • 1
  • 2
  • possible duplicate of [My server's been hacked EMERGENCY](http://serverfault.com/questions/218005/my-servers-been-hacked-emergency) – EEAA Feb 16 '12 at 04:58
  • 1
    lookupd and memberd are other parts of OS X's directory service (user & group etc lookup) system, not the ultimate source of the queries. You can enable debug logging for lookupd (see [TN2124](https://developer.apple.com/library/mac/#technotes/tn2124/_index.html#//apple_ref/doc/uid/DTS10003391-CH1-SECLOOKUPD)), but usually lookup calls go to DirectoryService first and then it'll (sometimes) pass them on to lookupd. I'd check the DS log again for queries coming in from somewhere else. – Gordon Davisson Feb 16 '12 at 07:07
  • Another thing occurred to me: memberd's job is to calculate group membership; is it possible it's looking up lots of user records as part of an attempt to do something like list all members of some group? – Gordon Davisson Feb 16 '12 at 07:10
  • 2
    Just a gut feeling but this doesn't *feel* like a compromise. It feels like a misconfuguration. As Gordon said, try to correlate the lookups with some other event such as a user accessing a file or logging in. – Ladadadada Feb 16 '12 at 07:24
  • From much painful experience manually getting Linux to authenticate to Active Directory, this could very well be a misconfiguration or something broken by a vendor. For instance, the difference in number of LDAP lookups when performing 'ls' versus 'ls -latr' is quite staggering. ls would return quick, ls -latr would take forever for each call to ActiveDirectory to time out. – rjt Mar 16 '12 at 23:39

1 Answers1

1

The usual studd:

  • Pull server from network.
  • Totally wipe it, start reinstalling from known safe sources (OS discs)
  • Reinstall everything.
  • Make sure you dont makemistakes and patche everything up.
  • Restore data from backup.

it is not "a script", you dont know what other stuff a hacker may have installed.

TomTom
  • 50,857
  • 7
  • 52
  • 134