Hotline Security Guide Mac

From Higher Intellect Wiki
Jump to: navigation, search

Original document can be found at

Hotline Security Guide
Macintosh Edition 

An infoLink Document by: 
Darian "SLAYER" Drake

ICQ#: 5062340

¥ Introduction and Disclaimer:

   This guide was created after attempts to "hack" my server.  The first attempt was detected when a Guest uploaded the infamous "My Upload List" to me.  I called him on it, and he ended up telling my how it was used.  I then created a bogus account using the "Trojan" guidelines to catch would be "hackers."  It did not take long, until I had one.  He bragged about his conquests that night, and my CoAd (TripleZeroª) and I searched and found many sites had been hit.  When talking with other Admins, the subject of a guide to basic security was brought up, and thus this is born...
   Please note that these are just basic guidelines to follow.  This is not a foolproof way to prevent your site from being hacked.  If you follow this advice  and you still get hacked, neither I, nor my contributors, will be held responsible; due to the many factors dealing with the ever-changing technology of computers and software.

¥ Definitions:

   First off, I would like to address some of the definitions used.  The original definition of "hacker" derives from the Massachusetts Institute of Technology's programmers in the 1960s, who called themselves "hackers," to refer to making a program better and more efficient, or making it do something it was not originally intended to do.[1]  Later, "hacker" became the generic title for one who breaks into computer systems.  Most of the "hackers" running rampant throught the Hotline community are not true "hackers" by definition.  What they are doing is exploiting the work of someone else, using the back doors installed by a true Hack's "Trojan Horse."
   A "Trojan Horse" is a program that performs some undesired yet intended action while, or in addition to, pretending to do something else.  It is named after the hollow wooden horse filled with soldiers that invaded the city of Troy in ancient Greece, it disguises itself as something helpful or useful, then it jumps out and does harm. A Trojan Horse differs from a virus in that the former does not attempt to reproduce itself.[2]

¥ About the Trojans:

   The most common Trojan that effects Hotline servers creates an extra account in your "Users" folder.  This account is able to do everything except kick other users.  This is so that the name does not show up in red (like an Admin account) and the intruder may go about their business relatively unnoticable.  While this Trojan is relatively  unharmful to your computer system itself, it can be quite disruptive to your server.
   Other Trojans, however can be more damaging.  The previous Trojan allows complete access to your server, and you cannot actually delete files through Hotline; it only moves the files to the Trash.  These other Trojans can do anything from deleting system files to corrupting your file structures.  These can permanently damage your system, so be careful when downloading.

¥ Detection:

   To detect if your server has been hit by the most common Hotline Trojan, you will need to look for an invisible folder.  You can do this by using the advanced "Find File" options, by holding down the "option" key and selecting the first menu on the left, the "name" menu, then choose "visibility" and look for invisible files:


   Now if you find an invisible "guest" folder, you have been hit.  To fix this you can do one of two things.  You can create a new "Users" folder and drag all of your visible accounts to the new folder.  This will leave the invisible one behind and you can drag the old folder to the Trash and empty it.
   If you are familiar with ResEdit, you can use that as well to find and delete the invisible file.  Use the "Get File/Folder Info" from ResEdit's "File" menu, and select your "Users" folder.  If you have two "guest" accounts, then choose the second one.  They may look the same, but the second account has an extra space after "guest."  
   When you edit it, it will appear as such:


Uncheck the "Invisible" box, and then you will be able to delete the offendiong account by dragging it from your "Users" folder to the Trash.

¥ Prevention Suggestions:

   Preventing your server from the common Trojan attack is fairly simple.  You can do several things:
   1) Be alert!  In my first encounter with this Trojan, the person uploading the file to me was pushy - wanting me to read his file list right then.
   2) Check your files!  Get info on everything, and see if everything checks out ok.  The Trojan that has been circulating generally looks like this:


Note the creation date and the version information, although do not only use that as a guide.  Those can be easily modified with ResEdit.  Examine everything closely, in this case the icon appears to be a SimpleText document, yet it's "Kind" is listed as an application.
   3) Don't just "double-click" a file to open it!  If it looks like a SimpleText document, try to open it with SimpleText.  Did you double click on this file to open and read it?  Makes you wonder, eh?
   4) If you are opening an unknown application, do it on another computer.  This is easier said than done, but if you cannot do this, check the file when your server is offline, then if something unusual happens you can catch it quickly.
   5) Run a virus protection application such as SAM, that will detect suspicious activity, such as the creation of an invisible file.

¥ Detection Suggestions:

   Detecting the Trojan is simple as well, as outlined above.  But it can be an annoyance to go through the full process daily to see if your security has been compromised.  Following these suggestions can make detection easier:
   1) Label all of your "User" accounts.  This will make it easier to see if any new users were created any a Trojan account.
   2) Keep your Trash empty.  A Hotline user can only move files to the Trash, not actually delete anything, so if anything suddenly appears in your Trash, your security may have been compromised.
   3) Create a "guest " folder and use ResEdit (or another utility) to lock it.  If that folder disappears, and a "UserData" file appears in your "Users" directory you have had the Trojan run, but your server is still secure. (Remember that there is a space after typing "guest" as in "guest ")
   4) If you happen to know the password, create a full user account with very limited access.  Give the account a name that will get your attention, and uncheck the "Can Use Any Name" box.  Be sure to "Log Connections" so you can save their IP address. (This is how I caught the guy trying to penetrate my server!)

¥ Hotline and Security:

   Hotline is concerned with server security. The next release of the server ignores invisible accounts, and a future release will guarantee that account information cannot be modified or read while the server is running.[3]  The security problems do not lie with Hotline as much as it does with Administrator ignorance, and MacOS.

¥ Known Trojans:

   Since the names of files can be changed very quickly and easily, checking the name of a file should not be your only means of determining its integrity.  These are common names of some known Trojans:

   Account Request - Yes, a simple account request could house a Trojan!
                     Be sure to check those files!
   AutoGuest INIT 2.0 - Upgrades, everyone wants a better server right? 
                        What better way to sneak in a Trojan?
   CMTools 1.1.sit - ANYTHING could be a Trojan.  "Get Info" often!
   Federal Spy Detector - Trashes your control panels, this one zapped a 
                          friend of mine.
   HL Server Updater Beta 1.3 - Again, who wouldn't want to have the
                                newest and best server?  Be safe and get
                                your upgrades directly from Hotline.
   My Upload List - The most common one I have found.  All of the ones I
                    have come in contact with has been a derivative of
                    this one.


   This project could not have been completed without the assistance of others.  I would like to thank: my CoAds, Blk Shadow and TripleZeroª, for previewing this and assisting in its development; S+T+I+T+C+H+Y, for additional "detection" contributions; Taft, for holding the security chat to raise awareness; and Hotline Communications Ltd., for creating an excellent product.

[1] Hackers Encyclopedia v2.5 by Logik Bomb -
[2] Thomas Jefferson University (CVI)
[3] Adam Hinkley, CEO Hotline Communications Ltd. - In a post to the Hotline Mailing List

This guide was created and produced with permission, although I am not associated with Hotline Communications Ltd. 

Share your opinion