An LDAP server on another is reporting an unusually large number of attempts to read the LDAP directory and attempting a number of users, all of which look like hacking attempts to read user/password information. These happen every minute. It reports that the originating IP is a Mac OS X 10.4 Tiger Server which is a file server on the network for iMacs.
When I run lsof -i:ldap +c 0
on the Mac server, it returns
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
DirectoryService 60 root 11u IPv4 0x38de228 0t0 TCP mymacserver.com:50106->myldapserver.com:ldap (ESTABLISHED)
Running ps -Aj
gives
USER PID PPID PGID SESS JOBC STAT TT TIME COMMAND
[...]
root 60 1 60 290c7e4 0 Ss ?? 0:19.00 /usr/sbin/DirectoryService
Running cat /Library/Logs/DirectoryService/DirectoryService.server.log
gives
2012-02-15 15:01:29 EST - DirectoryService 2.1 (v353.6) starting up...
2012-02-15 15:01:29 EST - Initializing TCP ...
2012-02-15 15:01:29 EST - Plugin <Configure>, Version <1.7>, processed successfully.
2012-02-15 15:01:29 EST - Plugin <NetInfo>, Version <1.7.4>, processed successfully.
2012-02-15 15:01:29 EST - Plugin <LDAPv3>, Version <1.7.4>, processed successfully.
2012-02-15 15:01:29 EST - Plugin <Search>, Version <1.7>, processed successfully.
2012-02-15 15:01:29 EST - Plugin "Active Directory", Version "1.5.8", is set to load lazily.
2012-02-15 15:01:29 EST - Plugin "AppleTalk", Version "1.3", is set to load lazily.
2012-02-15 15:01:29 EST - Plugin "Bonjour", Version "1.3", loaded successfully.
2012-02-15 15:01:29 EST - Plugin "BSD", Version "1.2.2", is set to load lazily.
2012-02-15 15:01:29 EST - Plugin "PasswordServer", Version "3.1.2", is set to load lazily.
2012-02-15 15:01:29 EST - Plugin "SLP", Version "1.3.1", is set to load lazily.
2012-02-15 15:01:29 EST - Plugin "SMB", Version "1.3", is set to load lazily.
2012-02-15 15:01:29 EST - Registered node /Configure
2012-02-15 15:01:29 EST - Registered node /Search
2012-02-15 15:01:29 EST - Plug-in Configure state is now active.
2012-02-15 15:01:29 EST - Registered node /Search/Contacts
2012-02-15 15:01:29 EST - Registered node /Search/Network
2012-02-15 15:01:29 EST - Plug-in Bonjour state is now active.
2012-02-15 15:01:29 EST - Plug-in Search state is now active.
2012-02-15 15:01:29 EST - Plug-in LDAPv3 state is now active.
2012-02-15 15:01:29 EST - Registered node /NetInfo/DefaultLocalNode
2012-02-15 15:01:29 EST - Plug-in NetInfo state is now active.
2012-02-15 15:01:32 EST - Network transition occurred.
2012-02-15 15:01:35 EST - Registered Locally Hosted Node /NetInfo/DefaultLocalNode
2012-02-15 15:01:41 EST - Network transition occurred.
2012-02-15 15:01:41 EST - Network transition occurred.
2012-02-15 15:01:41 EST - Network transition occurred.
(The time is when the server was rebooted several hours ago.) This has been going on for several days.
Is there a way to see what is calling the DirectoryService every minute?
I cannot use netstat -p
, since Mac OS X 10.4 Tiger does not support the -p
option.
I need to disable this malicious script, but I cannot disable the LDAP client completely, as users rely on this server for file storage and user ids.
EDIT:
I ran sudo killall -USR1 DirectoryService
to enable to debug log, and it seems that memberd
and lookupd
are calling DirectoryService.
The usual studd:
it is not "a script", you dont know what other stuff a hacker may have installed.