Slashdot Mirror
Symptoms of Mac OS X Hack?
goatbar asks: "Many of you have probably dealt with computer intrusion before, but this is the first time for me with Mac OS X. I've got a machine where the passwords have been altered. If this were Linux, I would drop in Knoppix, figure out which way I got hacked, backup the system, reinstall, secure it and be back up in a couple hours. However, with OSX what can I do? Does anyone have strategies for regaining access to the machine and doing a post-mortem? I'm going to bring up the system drive on a laptop, but then what? I can back it up, but other than the system logs, where to look beyond the usual '.BitchX' and '...' directories. How do I easily tell what other annoying little things have been installed?"
It depends on whether the admin also password-protected OpenFirmware and configured it to prevent booting from the CD/DVD drive. If not, then yes, you can compromise a Mac System with just an OS X boot CD. Of course, I believe you can do the same with a Linux 'live' CD on an Intel box...
Sleep your way to a whiter smile...date a dentist!
am asking this where a work environment uses macs, and users have access to the machines.
"Piter, too, is dead."
probably the easiest way (no cd required) is to boot into single user mode (holding apple+s during boot)
/
/var/db/.AppleSetupDone
you will be dropped into command prompt.
Mount disks
mount
then remove this file
rm
note the '.' as it's a hidden file..
then just reboot
(reboot)
and you will walked through the first time Setup and Config dialogs just like it was a new machine.
This will allow you to create a new admin account and change the other users' passwords. (make sure not to create a user with the same shortname as another user)
note this is a good way to 0wn any Mac you can get physical access to..
Right, this is in Jaguar, and something she got off P2P easily could have mucked around inside /Applications/Internet Explorer.app/ without asking to authenticate. Because she's an admin. Fortunately it didn't try.
There are no trails. There are no trees out here.
I've heard from some inside sources that Apple are looking to adopt something very similar to Solaris BSM auditing for OSX.
This doesn't help you much at the moment, but maybe sometime down the track, this may help you diagnose what was changed on your system.. (Subject, of course, to your logs being pushed off the compromised system as soon as they're generated, and maybe the attacker not noticing the auditing capability).
Red.
- separate datas, users accounts, my non Apple applications from system with 2 different partitions
- cleanly install the system and updates (stored on a separate drive) with no internet connection
- setup a temporary admin account during the install
- run a script (niutil, cp...) to recreate my environment (finally it's not that hard, just remember that users and groups are in netinfo and shadow passwords are stored in
/var/db/shadow/hash with the generateduids of the users) and drop the temporary account
- launch a complete replication of the system disk on an external (Emergency) drive (I currently use Mr. Bombich carbon copy cloner, but there are other solutions) which is useful to redo the first steps really fast (I mean 20 minutes from a drive, 30 minutes from my iPod which is becoming my "Emergency" drive). You can you the "rm local.nidb" trick to cleanly recreate the admin account
- go live.
This takes 2-4 hours with install from CDs, 1h from emergency drive.By the way, I also like to
- avoid the uid 501 admin
- replace the standard firewall (ipfw configured with ruleset from the SysPrefs) with a ruleset of my own (using the fantastic statefull feature, stealthing if necessary, explicitly closing ports I don't use to and from the computer, avoiding apps like MsOffice or Stuffit to call home) launched as a StartupItem
- check the basic security with nmap from the outside
- setup OpenFirmwarePassword and FileVault (sorry guys, physical access is not enough)
- check passwords are solid, currently with lcrack on shadow passwords
- make automatic backups of vital datas (thanks rsync) on external drive (and in my case my laptop which is then "in sync")
Of course, the second part is purely paranoid (except backups) as I'm not at all an interesting target (except if you want to read my code, discover my preferred films;-) but as I also do that for small companies I like (and occasionally work for), I feel a little bit more responsible and try it on my personal computer before deploying it for others.I also do that to learn a bit more what can be done as I'm not a sysadmin at all and not pretend at all being as pro as most of them.
ClaudeBBG
I call Bullshit. There is no such thing as MacOS X spyware. What happened is that a .plist or pref got fucked up and you couldn't alter the prefs. This has been documented in various places, like:
http://daringfireball.net/2004/05/internet_helper
.plists copied directly from the newuser template. If it works in a new user and not in your old user, you have a prefs or .plist problem. This is what you discovered, not spyware. Don't cry wolf every time you have a problem you can't figure out. Horror stories about viruses and spyware are for Windoze lusers. Think Different.
http://daringfireball.net/2004/05/energy_saver
The easiest way to detect bad prefs is to create a new user and test the software in a new userspace. The new user will have fresh prefs and