{"id":129,"date":"2008-04-16T11:37:52","date_gmt":"2008-04-16T10:37:52","guid":{"rendered":"http:\/\/blog.intego.com\/?p=129"},"modified":"2008-04-16T11:37:52","modified_gmt":"2008-04-16T10:37:52","slug":"mac-os-x-server-break-in-vulnerability-or-user-error","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/","title":{"rendered":"Mac OS X Server Break-in: Vulnerability or User Error?"},"content":{"rendered":"<p>Tom Yager at InfoWorld is <a href=\"http:\/\/weblog.infoworld.com\/enterprisemac\/archives\/2008\/04\/os_x_server_bre.html\">reporting about a break-in on an Xserve<\/a>, which raises several questions. Among the symptoms of this break-in were the following:<\/p>\n<ul>\n<li>\tKerberos authentication was disabled, making the system extremely slow to respond to LAN-based secure shell (ssh) initiation requests. Screen sharing sessions would not connect at all. However, Server Admin was fully functional<\/li>\n<li>\tAll e-mail was down<\/li>\n<li>\tA launch script for Communigate Pro 5.2.x had been placed in \/System\/Library\/StartupItems, causing Postfix and Cyrus to abort on launch after logging that SMTP, IMAP and POP ports were already opened. All of these services answered with Communigate Pro&#8217;s greeting rather than Postfix or Cyrus<\/li>\n<li>\tThe StartupItems launch script was removed after Communigate Pro was successfully launched<\/li>\n<li>\tCommunigate Pro&#8217;s HTTP administration ports were not open at either their default TCP ports or any other listening ports<\/li>\n<li>\tCommunigate Pro reinstalled itself when the contents of its configuration directory were deleted<\/li>\n<li>\tSeveral inbound messages from Eastern European senders were addressed to the recipient pw@mydomain.com. This account did not exist in Postfix prior to the attack<\/li>\n<\/ul>\n<p>It looks as though someone hacked the Xserve to send out spam, but it&#8217;s not clear why they would have installed Communigate Pro, a commercial mail server. (Perhaps it was easy to get access to the Xserve, but not to its own internal mail server.) What is most disturbing is that the hacker managed to change the administrator&#8217;s password, which is something that has not been seen before in remote exploits on Mac OS X.<\/p>\n<p>It&#8217;s not clear if this intrusion was the result of some sort of user error or mistaken configuration. We have no more information on this suspected vulnerability, but anyone running Mac OS X Server should check to make sure they don&#8217;t have the same problems.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tom Yager at InfoWorld is reporting about a break-in on an Xserve, which raises several questions. Among the symptoms of this break-in were the following: Kerberos authentication was disabled, making the system extremely slow to respond to LAN-based secure shell (ssh) initiation requests. Screen sharing sessions would not connect at all. However, Server Admin was [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[7,13],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"Tom Yager at InfoWorld is reporting about a break-in on an Xserve, which raises several questions. Among the symptoms of this break-in were the following:\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Mac OS X Server Break-in: Vulnerability or User Error? - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"Tom Yager at InfoWorld is reporting about a break-in on an Xserve, which raises several questions. Among the symptoms of this break-in were the following:\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2008-04-16T10:37:52+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Peter James\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/\",\"name\":\"Mac OS X Server Break-in: Vulnerability or User Error? - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"datePublished\":\"2008-04-16T10:37:52+00:00\",\"dateModified\":\"2008-04-16T10:37:52+00:00\",\"description\":\"Tom Yager at InfoWorld is reporting about a break-in on an Xserve, which raises several questions. Among the symptoms of this break-in were the following:\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mac OS X Server Break-in: Vulnerability or User Error?\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/d0c16bd0a4dd8f82d91204f400c8d116\"},\"headline\":\"Mac OS X Server Break-in: Vulnerability or User Error?\",\"datePublished\":\"2008-04-16T10:37:52+00:00\",\"dateModified\":\"2008-04-16T10:37:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#webpage\"},\"wordCount\":307,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"articleSection\":[\"Apple\",\"Security &amp; Privacy\"],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/d0c16bd0a4dd8f82d91204f400c8d116\",\"name\":\"Peter James\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0626bfb4ada576ba5aa775322329ad47?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0626bfb4ada576ba5aa775322329ad47?s=96&d=mm&r=g\",\"caption\":\"Peter James\"},\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/peter\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"Tom Yager at InfoWorld is reporting about a break-in on an Xserve, which raises several questions. Among the symptoms of this break-in were the following:","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/","og_locale":"en_US","og_type":"article","og_title":"Mac OS X Server Break-in: Vulnerability or User Error? - The Mac Security Blog","og_description":"Tom Yager at InfoWorld is reporting about a break-in on an Xserve, which raises several questions. Among the symptoms of this break-in were the following:","og_url":"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/","og_site_name":"The Mac Security Blog","article_published_time":"2008-04-16T10:37:52+00:00","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Peter James","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/","name":"Mac OS X Server Break-in: Vulnerability or User Error? - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"datePublished":"2008-04-16T10:37:52+00:00","dateModified":"2008-04-16T10:37:52+00:00","description":"Tom Yager at InfoWorld is reporting about a break-in on an Xserve, which raises several questions. Among the symptoms of this break-in were the following:","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"Mac OS X Server Break-in: Vulnerability or User Error?"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/d0c16bd0a4dd8f82d91204f400c8d116"},"headline":"Mac OS X Server Break-in: Vulnerability or User Error?","datePublished":"2008-04-16T10:37:52+00:00","dateModified":"2008-04-16T10:37:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/mac-os-x-server-break-in-vulnerability-or-user-error\/#webpage"},"wordCount":307,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"articleSection":["Apple","Security &amp; Privacy"],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/d0c16bd0a4dd8f82d91204f400c8d116","name":"Peter James","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/0626bfb4ada576ba5aa775322329ad47?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0626bfb4ada576ba5aa775322329ad47?s=96&d=mm&r=g","caption":"Peter James"},"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/peter\/"}]}},"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-25","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/129"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=129"}],"version-history":[{"count":0,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/129\/revisions"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}