Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symptoms of Mac OS X Hack?

Posted by Cliff on from the darwinism-and-computer-forensics dept.

goatbar asks: "Many of you have probably dealt with computer intrusion before, but this is the first time for me with Mac OS X. I've got a machine where the passwords have been altered. If this were Linux, I would drop in Knoppix, figure out which way I got hacked, backup the system, reinstall, secure it and be back up in a couple hours. However, with OSX what can I do? Does anyone have strategies for regaining access to the machine and doing a post-mortem? I'm going to bring up the system drive on a laptop, but then what? I can back it up, but other than the system logs, where to look beyond the usual '.BitchX' and '...' directories. How do I easily tell what other annoying little things have been installed?"

7 of 135 comments (clear)

  1. Re:When did it happen? by thefroatgt · · Score: 5, Insightful

    Wouldn't you be able to change timestamps and stuff like that if you hacked a system? I know nothing of how OS X's filesystem works, but seems like that would be nigh impossible to stop.

  2. It's UNIX, do what you usually do in Linux by baffle · · Score: 3, Insightful

    Reset password via the InstallCD and boot it into normal singleuser. Can't remember the key-combo now, but it should be something like Apple+s.

    --
    - Baffle
  3. reinstall everything from scratch. by gl4ss · · Score: 4, Insightful

    really, how else are you going to be sure?

    you can't trust timestamps(as some have suggested), you certainly can't trust any receipt/installation logs of macosx itself either, you can't trust binaries, you can't trust ANYTHING(except dummy data files with no data that ever gets executed, through other exploits or whatever).

    and REALLY, how do you _really_ figure out what binaries were compromised on a linux system you could rescue with knoppix? all you can do is to hope that they didn't install anything except bitchx with some scripts to zombie you..

    --
    world was created 5 seconds before this post as it is.
  4. Re:What was installed by Anonymous Coward · · Score: 2, Insightful

    So if I have physical access to the machine, I can compromise it (assuming of course I brought some OSX os disks?)

    Yes, you can. Just the same as you can compromise a Linux or Windows machine by booting off an OS disk. If you disable booting off media, someone's only going to take the machine apart and re-enable it. If someone physically has the machine they can do anything they want to it - including disassembling it - so such an intrusion is impossible to stop.

    However, on OSX you can encrypt your user data (see system settings -> security) so that even if someone has low-level access to the hard drive they still can't read your files.

  5. Victim of It Own Success. by Doc+Squidly · · Score: 1, Insightful

    Security exploits, Mac Spyware and hacks like these, IMHO, will contune to increase as OS X becomes more popular.

    But, this has already been predicted.

    --
    I think I think, therefore I think I am.
  6. Re:When did it happen? by prockcore · · Score: 2, Insightful

    Chances are it's just some kid who found a computer and managed to guess the password or something. If it was a pro job, you're right. But I'm betting it's just some kid or wannabe.

    Right, because only the pros know about touch(1)

  7. Re:Put in the installer CD by alienw · · Score: 3, Insightful

    You do realize that if a rootkit was installed, that is unlikely to reveal anything and your system will likely remain compromised?