Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symptoms of Mac OS X Hack?

Posted by Cliff on from the darwinism-and-computer-forensics dept.

goatbar asks: "Many of you have probably dealt with computer intrusion before, but this is the first time for me with Mac OS X. I've got a machine where the passwords have been altered. If this were Linux, I would drop in Knoppix, figure out which way I got hacked, backup the system, reinstall, secure it and be back up in a couple hours. However, with OSX what can I do? Does anyone have strategies for regaining access to the machine and doing a post-mortem? I'm going to bring up the system drive on a laptop, but then what? I can back it up, but other than the system logs, where to look beyond the usual '.BitchX' and '...' directories. How do I easily tell what other annoying little things have been installed?"

4 of 135 comments (clear)

  1. Re:What was installed by bw5353 · · Score: 2, Funny
    "One place you can look to see what was installed on your computer...go to /Library/Receipts. This has a small .pkg file that is left behind every time something is installed through a package on the computer (which anything but a basic application will have). "

    Never heard that theory before. I find no receipts in /Library/Receipts for MS Office X, MS Office 2004 Demo, Adobe Photoshop, InDesign, Illustrator, Acrobat, Lotus Notes or AppleWorks, just to name a few recent installations.

    I do find SallingClicker however. If someone tries to install SallingClicker after having taken over a machine, we'll get him!

  2. Re:make new admin account by transient · · Score: 4, Funny
    This is the first I've heard of /var/db/.AppleSetupDone, so I took a peek inside it and found a mildly amusing dictionary key:

    <key>AppleSpam</key>
    <string>NO</string>

    At least they're honest.

    --

    irb(main):001:0>
  3. Re:What was installed by prockcore · · Score: 4, Funny

    Of course if there was any kind of rootkit or similar nasty installed, it was probably installed off the command line from a tar.gz file, so it wouldn't appear there.

    I always thought that an OSX rootkit would use a nice pretty GUI installer and register itself with Software Update so you can download the latest 0wnz3r patches.

  4. Re:My girlfriend got Mac OS X spyware, somehow. by ricosalomar · · Score: 2, Funny

    Letting your GF run Explorer? Chivalry is dead, indeed.