Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symptoms of Mac OS X Hack?

Posted by Cliff on from the darwinism-and-computer-forensics dept.

goatbar asks: "Many of you have probably dealt with computer intrusion before, but this is the first time for me with Mac OS X. I've got a machine where the passwords have been altered. If this were Linux, I would drop in Knoppix, figure out which way I got hacked, backup the system, reinstall, secure it and be back up in a couple hours. However, with OSX what can I do? Does anyone have strategies for regaining access to the machine and doing a post-mortem? I'm going to bring up the system drive on a laptop, but then what? I can back it up, but other than the system logs, where to look beyond the usual '.BitchX' and '...' directories. How do I easily tell what other annoying little things have been installed?"

18 of 135 comments (clear)

  1. When did it happen? by MBCook · · Score: 4, Informative

    When did it happen, do you know? If so then you can search the drives for files that were created/modified on or after that date. That should allow you to restrict the number of things that you need to look anywhere from some to significantly.

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
  2. Put in the installer CD by CptChipJew · · Score: 4, Informative

    Boot off the install cd/dvd, and you can change your root password to anything you wish.

    After that its just a matter of recreating accounts and adjusting permissions. You can do that pretty easily in the Finder by getting info on a folder and changing permissions for all the contents of that folder and it's sub-folders in one click.

    --
    Vonal Declosion
  3. Let's hear more details about your break-in by Roompel · · Score: 5, Informative
    I had the same issue with modified passwords on my G4 server running MacOS X Server 10.3. I thought I was hacked and talked to Apple's tech support to get this resolved. In the end I realized that my passwords got changed everytime I used niload in order to add a user account via the command line.

    Until today I still have to figure out how to create accounts without using the GUI.

    1. Re:Let's hear more details about your break-in by jeffasselin · · Score: 4, Informative

      niload to add user accounts? No wonder this fucked up your passwords. niload uses raw access to import data into the database and isn't quite compatible with the new authentication scheme in OS X.

      Why don't you use niutil? That's the tool for the job. I've changed groups, users, and create the same with it before without any problems.

      --
      If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
    2. Re:Let's hear more details about your break-in by mmarlett · · Score: 4, Informative

      You have a couple of GUI-less options:
      http://www.macosxhints.com/article.php?story=20030 603190314390
      http://cocoa.mamasam.com/MACOSXDEV/2002/12/1/51614 .php

      But I always use the GUI. I'm less likely to break things that way.

  4. Hmm.. by Anonymous Coward · · Score: 5, Informative

    I've never dealt with a hacked Mac (cuddles powerbook and shivers in fear). However, some standard procedures would apply:

    (1) Isolate it from the network. Unplug ethernet, turn off any wireless access points (if Airport was set up on it).

    (2) Boot off a known good media. This means the OSX recovery CD (or DVD with newer models). I've never done it, but presumably you should be able to mount your Mac's hard drive, get to a terminal window and be able to poke around and repair the damage as with any other system.

    (3) If you don't want to repair (which can be risky if you don't know what's infected), copy off all files & data that you want to keep (avoid copying anything that's executable because that could be infected / trojaned) - then manually erase as much of everything that you can, ideally wiping the hard drive and low-level formatting it. Then boot off the recovery media / OS X install disks - and do a full re-image of the machine.. disable remote access, turn on the firewall in system settings -> sharing -> firewall, patch the OS.. reinstall all applications then restore the data that you backed up. And this time use strong passwords.

    Step 3 really is the only way to be sure that the system is no longer infected.

  5. System intrusion options by Kalak · · Score: 5, Informative

    As others have mentioned, you can use the System install disk to change your root password (which may be what was done to you). At the first splash screen, look in the menu bar to select the pasword reset utility.

    Also, if you'd like to look around, you can boot into single user mode using command-s when booting. once you see the command prompt, just go nuts.

    Another option is to boot off of another drive with the OS on it. Target disk mode is very handy for this. you can do it with 2 desktops, or one laptop and one desktop. An external drive is possible. Also, you can find ways to make a bootable OS X CD to work from w/o working from the original drive if you can get to another Mac to build the CD on.

    --
    I am, and always will be, an idiot. Karma: Coma (mostly effected by .hack)
  6. What was installed by bnewendorp · · Score: 4, Informative

    One place you can look to see what was installed on your computer...go to /Library/Receipts. This has a small .pkg file that is left behind every time something is installed through a package on the computer (which anything but a basic application will have). This should give you an idea of everything that has been installed on the computer since the OS was installed. Also, to reset your main password, put in the original OS install disc that came with the computer. Under File, you can select an option to reset passwords.

    1. Re:What was installed by duffbeer703 · · Score: 4, Informative

      Brilliant. It's nice that fricking computer hackers use proper software installation methods. And they'd never try breaking in the same way the did the first time, either.

      A compromised machine must be rebuilt. Period.

      --
      Conformity is the jailer of freedom and enemy of growth. -JFK
    2. Re:What was installed by daviddennis · · Score: 4, Informative

      Of course if there was any kind of rootkit or similar nasty installed, it was probably installed off the command line from a tar.gz file, so it wouldn't appear there.

      Nice try, but it probably wouldn't help in this instance.

      D

    3. Re:What was installed by pizza_milkshake · · Score: 4, Informative
      So if I have physical access to the machine, I can compromise it (assuming of course I brought some OSX os disks?)

      assuming you know what you're doing, then yes, physical access and a little time is all you need. that goes for pretty much any machine. one reason for server rooms and cages in hosting facilities.

  7. Things to consider, HOW-TO by goombah99 · · Score: 5, Informative

    after getting access as described here is how I deal with my machines

    0) first rename the /Users/shared folder and move it into a your user folder.

    1) do a full install of the system using the archive and install mode. this gives you a blank system with the default apps. But with all your old system stored in a folder.

    2) re create all your users if any are missing and copy back their files. and move back the /Users/Shared folder you renamed in step 1. (this is needed because the shared folder is not quite hndeled right by archiva and install)

    3) drag and drop the contents of the old-applications folder on the new applications folder. When it asks you if you want to overwite check NO. this will give you clean copies of the apple apps and give you your old other appls back.

    do the same with the Utilities folder.

    4) now very selectively do the same with the /Library folder. There are very few apps that actually need anything stored in libraries folder and most of these are in application suport and prefs sub dirs. nearly all prefs can be wiped. as a pre-screen you can search for anything in this folder that is an executable or a .app using "find". these are highly suspect, but not neccessarily evil.

    5) copy back any other root level folders that you personally created previously such as /sw for fink.

    6) go back and double check that all those applications and utilities that were not apple apps and utilites are okay. This is not simple but at least check some creation dates.

    that should pretty much do it. what you will miss are any boot time services, host files, tcp permissions, cron jobs or firewall settings you hand tweaked, you installed as those config files are now wiped. It's possible your keychain will get corrupted but not neccessaility. and if you created any new users inthis process and their explict UID and GROUPID numbers are important you can edit these using the netinfo utility. Normal installations of packages and applications on apples do not tinker with /bin /etc /usr. some non-apple freindly unix packages do, but you would probably know this. if you only used fink or only installed in the users's space then you are fine. if you installed in to places like /usr or /opt then you are on your own.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Things to consider, HOW-TO by justMichael · · Score: 4, Informative
      While your list is nice if you don't care how they got in in the first place and you aren't really that concerend about cleaning you machine correctly...

      I would strongly recommend that anyone that thinks they have been rooted/hacked/owned (call it what you will) should boot from something safe, think Gentoo or other non OS X source.

      Copy the entire drive off onto another drive and only mount it read-only from that point on.

      Now wipe the original drive and reinstall everything from scratch. Including downloading anything that you don't have a CD for.

      After you get back up and running and if you want to know how they got in or if you care about anything on the old install, mount that drive read only and start poking around. There are many good resources online for post mortem analysis.

      At the very minimum you should want to know when it happened so that you know how far back your backups are potentially unsafe. You do have backups, right?

      If you honestly believe that cheking creation dates on files is enough, you will get burned. Take the following example.
      cp SafeApp.app SafeAppTemp.app
      scp hacker@example.com:/Users/hacker/BadApp.app SafeApp.app
      touch -r SafeAppTemp.app SafeApp.app
      srm SafeAppTemp.app
      When you look at the dates on SafeApp the app appears to be safe, is it?

      Disclaimer: I'm not on an OS X box at the moment so I can't verify that it's version of touch supports -r, but even if it doesn't once their on your machine they can bring in one that does.
    2. Re:Things to consider, HOW-TO by cjpez · · Score: 4, Informative

      Er, if you're copying over applications and user data from the compromised partitions, why bother doing a reinstall at all? If just one of those applications or library files you copied over was trojaned, all you're doing is turning off the hacks until you execute the necessary code again.

      --
      Al Qaeda has ninjas!
  8. Same procedure by GoRK · · Score: 4, Informative

    You can follow the same procedure you use for your linux recovery -- put in the install cd or darwin cd, boot to a shell, mount up the disk read only and perform your backup, analysis, and then recover by whatever means you want.

    To boot to a shell using the install cd you have to go into open firmware and set OF to pass the -s option to the mach kernel. The darwin CD will give you the option to jump to a shell right off the bat.

  9. Re:reinstall everything from scratch. by alienw · · Score: 4, Informative

    and REALLY, how do you _really_ figure out what binaries were compromised on a linux system you could rescue with knoppix?

    You could compare md5sums of all the executables with the ones on the installation media. RPM has an option to do that.

  10. Re:reinstall everything from scratch. by prockcore · · Score: 4, Informative


    and REALLY, how do you _really_ figure out what binaries were compromised on a linux system you could rescue with knoppix?

    As I said above:
    rpm -Va

    put /var/lib/rpm on a keychain.

  11. Target disk mode + disk image by plsuh · · Score: 4, Informative
    Every Mac that has a firewire port can boot into Target Disk Mode. Hit the power button and hold down the "T" key. In a couple of seconds you'll see the screen show a yellow firewire symbol. Plug the compromised Mac into another Mac using a firewire cable, and the compromised Mac's hard drive will be mounted on the other Mac's desktop as an external firewire hard drive.

    At this point, you should recover all of your user data to an outside volume, either on the known good Mac or on a CD-R or network volume. If you want to do forensics on the compromised Mac, create a disk image from the compromised Mac's hard drive (warning - this may take up a lot of space). This will preserve everything from that machine in a way that can easily be mounted and studied. Put the compromised Mac away as evidence and do your examination from the disk image.

    Log files are your friends. However, a good rootkit will include ways of deleting telltale info from log files. Another problem is that the prebinding process will alter binaries in different ways depending on the machine and the amount of RAM. The right way to do a comparison between the compromised machine and a known good machine is to use an identical machine (same model, same amount of RAM) and bring the system up to the same set of updates. Then you can use
    sudo mtree -c -p /usr -k cksum > /tmp/mtree_checksum1
    sudo mtree -c -p /Volumes/BadHD/usr -k cksum > /tmp/mtree_cksum2
    to create CRC32 checksums of the /usr directories. Compare the two checksum files to see what might have been changed/added/deleted. Repeat for other important directories like /etc, /var, /Library, /System, /System\ Folder. If everything is different, you know that you haven't gotten the prebinding conditions right and you need to start over.

    To get the compromised Mac up and running again, you can't count on fixing everything in place. It's too easy to miss something that's been trojaned. You need to do an erase and install on the compromised Mac, re-install all of your applications, re-create the user accounts, then copy back the data that you backed up earlier. Be careful if some users have installed apps inside their home dirs that you re-install those fresh, as they may have been attacked as well. Also be sure to run a virus scanner on user files before restoring them to catch things like Word macro viruses.

    Be careful of the users' login keychains, as the data in those may not be recoverable if the passwords were changed by someone who logged in as the users themselves. If the passwords were changed via an outside reset mechanism, such as an admin user or an install CD, then the old keychain passwords should still work.

    Joel Rennich has a good account of studying a compromised Mac OS X machine a while back on his website, afp548.com. It's based on a little bit older version of the OS, but still good advice.

    --Paul