Slashdot Mirror
Symptoms of Mac OS X Hack?
goatbar asks: "Many of you have probably dealt with computer intrusion before, but this is the first time for me with Mac OS X. I've got a machine where the passwords have been altered. If this were Linux, I would drop in Knoppix, figure out which way I got hacked, backup the system, reinstall, secure it and be back up in a couple hours. However, with OSX what can I do? Does anyone have strategies for regaining access to the machine and doing a post-mortem? I'm going to bring up the system drive on a laptop, but then what? I can back it up, but other than the system logs, where to look beyond the usual '.BitchX' and '...' directories. How do I easily tell what other annoying little things have been installed?"
Until today I still have to figure out how to create accounts without using the GUI.
Wouldn't you be able to change timestamps and stuff like that if you hacked a system? I know nothing of how OS X's filesystem works, but seems like that would be nigh impossible to stop.
I've never dealt with a hacked Mac (cuddles powerbook and shivers in fear). However, some standard procedures would apply:
(1) Isolate it from the network. Unplug ethernet, turn off any wireless access points (if Airport was set up on it).
(2) Boot off a known good media. This means the OSX recovery CD (or DVD with newer models). I've never done it, but presumably you should be able to mount your Mac's hard drive, get to a terminal window and be able to poke around and repair the damage as with any other system.
(3) If you don't want to repair (which can be risky if you don't know what's infected), copy off all files & data that you want to keep (avoid copying anything that's executable because that could be infected / trojaned) - then manually erase as much of everything that you can, ideally wiping the hard drive and low-level formatting it. Then boot off the recovery media / OS X install disks - and do a full re-image of the machine.. disable remote access, turn on the firewall in system settings -> sharing -> firewall, patch the OS.. reinstall all applications then restore the data that you backed up. And this time use strong passwords.
Step 3 really is the only way to be sure that the system is no longer infected.
As others have mentioned, you can use the System install disk to change your root password (which may be what was done to you). At the first splash screen, look in the menu bar to select the pasword reset utility.
Also, if you'd like to look around, you can boot into single user mode using command-s when booting. once you see the command prompt, just go nuts.
Another option is to boot off of another drive with the OS on it. Target disk mode is very handy for this. you can do it with 2 desktops, or one laptop and one desktop. An external drive is possible. Also, you can find ways to make a bootable OS X CD to work from w/o working from the original drive if you can get to another Mac to build the CD on.
I am, and always will be, an idiot. Karma: Coma (mostly effected by
after getting access as described here is how I deal with my machines
/Users/shared folder and move it into a your user folder.
/Users/Shared folder you renamed in step 1. (this is needed because the shared folder is not quite hndeled right by archiva and install)
/Library folder. There are very few apps that actually need anything stored in libraries folder and most of these are in application suport and prefs sub dirs. nearly all prefs can be wiped. as a pre-screen you can search for anything in this folder that is an executable or a .app using "find". these are highly suspect, but not neccessarily evil.
/sw for fink.
/bin /etc /usr. some non-apple freindly unix packages do, but you would probably know this. if you only used fink or only installed in the users's space then you are fine. if you installed in to places like /usr or /opt then you are on your own.
0) first rename the
1) do a full install of the system using the archive and install mode. this gives you a blank system with the default apps. But with all your old system stored in a folder.
2) re create all your users if any are missing and copy back their files. and move back the
3) drag and drop the contents of the old-applications folder on the new applications folder. When it asks you if you want to overwite check NO. this will give you clean copies of the apple apps and give you your old other appls back.
do the same with the Utilities folder.
4) now very selectively do the same with the
5) copy back any other root level folders that you personally created previously such as
6) go back and double check that all those applications and utilities that were not apple apps and utilites are okay. This is not simple but at least check some creation dates.
that should pretty much do it. what you will miss are any boot time services, host files, tcp permissions, cron jobs or firewall settings you hand tweaked, you installed as those config files are now wiped. It's possible your keychain will get corrupted but not neccessaility. and if you created any new users inthis process and their explict UID and GROUPID numbers are important you can edit these using the netinfo utility. Normal installations of packages and applications on apples do not tinker with
Some drink at the fountain of knowledge. Others just gargle.
probably the easiest way (no cd required) is to boot into single user mode (holding apple+s during boot)
/
/var/db/.AppleSetupDone
you will be dropped into command prompt.
Mount disks
mount
then remove this file
rm
note the '.' as it's a hidden file..
then just reboot
(reboot)
and you will walked through the first time Setup and Config dialogs just like it was a new machine.
This will allow you to create a new admin account and change the other users' passwords. (make sure not to create a user with the same shortname as another user)
note this is a good way to 0wn any Mac you can get physical access to..
- separate datas, users accounts, my non Apple applications from system with 2 different partitions
- cleanly install the system and updates (stored on a separate drive) with no internet connection
- setup a temporary admin account during the install
- run a script (niutil, cp...) to recreate my environment (finally it's not that hard, just remember that users and groups are in netinfo and shadow passwords are stored in
/var/db/shadow/hash with the generateduids of the users) and drop the temporary account
- launch a complete replication of the system disk on an external (Emergency) drive (I currently use Mr. Bombich carbon copy cloner, but there are other solutions) which is useful to redo the first steps really fast (I mean 20 minutes from a drive, 30 minutes from my iPod which is becoming my "Emergency" drive). You can you the "rm local.nidb" trick to cleanly recreate the admin account
- go live.
This takes 2-4 hours with install from CDs, 1h from emergency drive.By the way, I also like to
- avoid the uid 501 admin
- replace the standard firewall (ipfw configured with ruleset from the SysPrefs) with a ruleset of my own (using the fantastic statefull feature, stealthing if necessary, explicitly closing ports I don't use to and from the computer, avoiding apps like MsOffice or Stuffit to call home) launched as a StartupItem
- check the basic security with nmap from the outside
- setup OpenFirmwarePassword and FileVault (sorry guys, physical access is not enough)
- check passwords are solid, currently with lcrack on shadow passwords
- make automatic backups of vital datas (thanks rsync) on external drive (and in my case my laptop which is then "in sync")
Of course, the second part is purely paranoid (except backups) as I'm not at all an interesting target (except if you want to read my code, discover my preferred films;-) but as I also do that for small companies I like (and occasionally work for), I feel a little bit more responsible and try it on my personal computer before deploying it for others.I also do that to learn a bit more what can be done as I'm not a sysadmin at all and not pretend at all being as pro as most of them.
ClaudeBBG