Symptoms of Mac OS X Hack?
goatbar asks: "Many of you have probably dealt with computer intrusion before, but this is the first time for me with Mac OS X. I've got a machine where the passwords have been altered. If this were Linux, I would drop in Knoppix, figure out which way I got hacked, backup the system, reinstall, secure it and be back up in a couple hours. However, with OSX what can I do? Does anyone have strategies for regaining access to the machine and doing a post-mortem? I'm going to bring up the system drive on a laptop, but then what? I can back it up, but other than the system logs, where to look beyond the usual '.BitchX' and '...' directories. How do I easily tell what other annoying little things have been installed?"
Wouldn't you be able to change timestamps and stuff like that if you hacked a system? I know nothing of how OS X's filesystem works, but seems like that would be nigh impossible to stop.
Reset password via the InstallCD and boot it into normal singleuser. Can't remember the key-combo now, but it should be something like Apple+s.
- Baffle
really, how else are you going to be sure?
you can't trust timestamps(as some have suggested), you certainly can't trust any receipt/installation logs of macosx itself either, you can't trust binaries, you can't trust ANYTHING(except dummy data files with no data that ever gets executed, through other exploits or whatever).
and REALLY, how do you _really_ figure out what binaries were compromised on a linux system you could rescue with knoppix? all you can do is to hope that they didn't install anything except bitchx with some scripts to zombie you..
world was created 5 seconds before this post as it is.
You do realize that if a rootkit was installed, that is unlikely to reveal anything and your system will likely remain compromised?