Symptoms of Mac OS X Hack? 135
goatbar asks: "Many of you have probably dealt with computer intrusion before, but this is the first time for me with Mac OS X. I've got a machine where the passwords have been altered. If this were Linux, I would drop in Knoppix, figure out which way I got hacked, backup the system, reinstall, secure it and be back up in a couple hours. However, with OSX what can I do? Does anyone have strategies for regaining access to the machine and doing a post-mortem? I'm going to bring up the system drive on a laptop, but then what? I can back it up, but other than the system logs, where to look beyond the usual '.BitchX' and '...' directories. How do I easily tell what other annoying little things have been installed?"
When did it happen? (Score:5, Informative)
Re:When did it happen? (Score:5, Insightful)
Re:When did it happen? (Score:2)
Did you keep a backup? You could compare the backup against the current system state to see what's been added or changed. A hacker can't modify con
Re:When did it happen? (Score:3, Insightful)
Right, because only the pros know about touch(1)
Re:When did it happen? (Score:2)
Put in the installer CD (Score:5, Informative)
After that its just a matter of recreating accounts and adjusting permissions. You can do that pretty easily in the Finder by getting info on a folder and changing permissions for all the contents of that folder and it's sub-folders in one click.
Things to consider, HOW-TO (Score:5, Informative)
0) first rename the
1) do a full install of the system using the archive and install mode. this gives you a blank system with the default apps. But with all your old system stored in a folder.
2) re create all your users if any are missing and copy back their files. and move back the
3) drag and drop the contents of the old-applications folder on the new applications folder. When it asks you if you want to overwite check NO. this will give you clean copies of the apple apps and give you your old other appls back.
do the same with the Utilities folder.
4) now very selectively do the same with the
5) copy back any other root level folders that you personally created previously such as
6) go back and double check that all those applications and utilities that were not apple apps and utilites are okay. This is not simple but at least check some creation dates.
that should pretty much do it. what you will miss are any boot time services, host files, tcp permissions, cron jobs or firewall settings you hand tweaked, you installed as those config files are now wiped. It's possible your keychain will get corrupted but not neccessaility. and if you created any new users inthis process and their explict UID and GROUPID numbers are important you can edit these using the netinfo utility. Normal installations of packages and applications on apples do not tinker with
Re:Things to consider, HOW-TO (Score:5, Informative)
I would strongly recommend that anyone that thinks they have been rooted/hacked/owned (call it what you will) should boot from something safe, think Gentoo or other non OS X source.
Copy the entire drive off onto another drive and only mount it read-only from that point on.
Now wipe the original drive and reinstall everything from scratch. Including downloading anything that you don't have a CD for.
After you get back up and running and if you want to know how they got in or if you care about anything on the old install, mount that drive read only and start poking around. There are many good resources online for post mortem analysis.
At the very minimum you should want to know when it happened so that you know how far back your backups are potentially unsafe. You do have backups, right?
If you honestly believe that cheking creation dates on files is enough, you will get burned. Take the following example.When you look at the dates on SafeApp the app appears to be safe, is it?
Disclaimer: I'm not on an OS X box at the moment so I can't verify that it's version of touch supports -r, but even if it doesn't once their on your machine they can bring in one that does.
Re:Things to consider, HOW-TO (Score:5, Informative)
Re:Things to consider, HOW-TO (Score:2)
Granted, there is still the possibility a non-Apple application or Library was trojaned.
Re:Things to consider, HOW-TO (Score:2)
Re:Put in the installer CD (Score:4, Insightful)
call apple customer support (Score:1, Troll)
Dust off your SLA and call Apple.
Don't have a SLA? Dang, you're FUBARed.
Let's hear more details about your break-in (Score:5, Informative)
Until today I still have to figure out how to create accounts without using the GUI.
Re:Let's hear more details about your break-in (Score:5, Informative)
Why don't you use niutil? That's the tool for the job. I've changed groups, users, and create the same with it before without any problems.
Re:Let's hear more details about your break-in (Score:1)
Re:Let's hear more details about your break-in (Score:5, Informative)
http://www.macosxhints.com/article.php?story=2003
http://cocoa.mamasam.com/MACOSXDEV/2002/12/1/5161
But I always use the GUI. I'm less likely to break things that way.
Re:Let's hear more details about your break-in (Score:2)
-Sean
Re:Let's hear more details about your break-in (Score:2)
for adding smb users
Re:Let's hear more details about your break-in (Score:1)
It's UNIX, do what you usually do in Linux (Score:3, Insightful)
Re:It's UNIX, do what you usually do in Linux (Score:1, Troll)
There's an rpm -Va command for OSX?
Changing your root password back isn't going to help if a backdoor has been installed. You need a way to verify that none of your files have been modified. Under redhat, rpm -Va will verify the md5sum, permissions, timestamp of all your installed packages.
For the extra paranoid, put your
Hmm.. (Score:5, Informative)
(1) Isolate it from the network. Unplug ethernet, turn off any wireless access points (if Airport was set up on it).
(2) Boot off a known good media. This means the OSX recovery CD (or DVD with newer models). I've never done it, but presumably you should be able to mount your Mac's hard drive, get to a terminal window and be able to poke around and repair the damage as with any other system.
(3) If you don't want to repair (which can be risky if you don't know what's infected), copy off all files & data that you want to keep (avoid copying anything that's executable because that could be infected / trojaned) - then manually erase as much of everything that you can, ideally wiping the hard drive and low-level formatting it. Then boot off the recovery media / OS X install disks - and do a full re-image of the machine.. disable remote access, turn on the firewall in system settings -> sharing -> firewall, patch the OS.. reinstall all applications then restore the data that you backed up. And this time use strong passwords.
Step 3 really is the only way to be sure that the system is no longer infected.
Re:Hmm.. (Score:2)
Re:Hmm.. (Score:2, Informative)
Another available option is to use Firewire Target Disk mode (Command-T at startup) to mount the drive on another Mac.
System intrusion options (Score:5, Informative)
Also, if you'd like to look around, you can boot into single user mode using command-s when booting. once you see the command prompt, just go nuts.
Another option is to boot off of another drive with the OS on it. Target disk mode is very handy for this. you can do it with 2 desktops, or one laptop and one desktop. An external drive is possible. Also, you can find ways to make a bootable OS X CD [bombich.com] to work from w/o working from the original drive if you can get to another Mac to build the CD on.
What was installed (Score:4, Informative)
Re:What was installed (Score:2)
Can this password reset be performed only with the disk you installed the machine with, or with any disk for the same os version?
Re:What was installed (Score:1)
Re:What was installed (Score:3, Informative)
Re:What was installed (Score:2, Interesting)
Re:What was installed (Score:2, Insightful)
Yes, you can. Just the same as you can compromise a Linux or Windows machine by booting off an OS disk. If you disable booting off media, someone's only going to take the machine apart and re-enable it. If someone physically has the machine they can do anything they want to it - including disassembling it - so such an intrusion is impossible to stop.
However, on OSX you can encrypt your user d
Re:What was installed (Score:5, Informative)
assuming you know what you're doing, then yes, physical access and a little time is all you need. that goes for pretty much any machine. one reason for server rooms and cages in hosting facilities.
Re:What was installed (Score:3, Interesting)
Re:What was installed (Score:2)
If that's not secure enough, it's sharks-n-lasers time.
Re:What was installed (Score:5, Informative)
A compromised machine must be rebuilt. Period.
Re:What was installed (Score:2)
Re:What was installed (Score:5, Informative)
Nice try, but it probably wouldn't help in this instance.
D
Re:What was installed (Score:5, Funny)
I always thought that an OSX rootkit would use a nice pretty GUI installer and register itself with Software Update so you can download the latest 0wnz3r patches.
Re:What was installed (Score:2)
Assuming you roughly know when it happened, what will be muchmore helpful is doing a find by date modified/created. In the Finder, do a good old Find with command-f, but change the search criteria to just Date Created, then d
Re:What was installed (Score:2)
Re:What was installed (Score:2)
The problem with this is that OS X has many hidden folders, into which the Finder does not look. These folders include UNIX standards such as bin, sbin, usr and private. Better to use 'find' via the Terminal. 'man find' in a Terminal window for further info.
(tig)
Re:What was installed (Score:2)
Re:What was installed (Score:2, Funny)
Never heard that theory before. I find no receipts in /Library/Receipts for MS Office X, MS Office 2004 Demo, Adobe Photoshop, InDesign, Illustrator, Acrobat, Lotus Notes or AppleWorks, just to name a few recent installations.
I do find SallingClick
Gentoo for PPC (Score:3, Informative)
Re:Gentoo for PPC (Score:4, Informative)
You mean this. [tu-bs.de]
Re:Gentoo for PPC (Score:2)
Re:Gentoo for PPC (Score:2)
reinstall everything from scratch. (Score:5, Insightful)
you can't trust timestamps(as some have suggested), you certainly can't trust any receipt/installation logs of macosx itself either, you can't trust binaries, you can't trust ANYTHING(except dummy data files with no data that ever gets executed, through other exploits or whatever).
and REALLY, how do you _really_ figure out what binaries were compromised on a linux system you could rescue with knoppix? all you can do is to hope that they didn't install anything except bitchx with some scripts to zombie you..
Re:reinstall everything from scratch. (Score:2)
You really though don't want to be messing around on a compromised system. Like many others have suggested, you'll want to boot of a CD and go from there. Single user mode is unacceptable, since
Re:reinstall everything from scratch. (Score:5, Informative)
You could compare md5sums of all the executables with the ones on the installation media. RPM has an option to do that.
Re:reinstall everything from scratch. (Score:3, Informative)
Every time the prebindings of a dynamically linked executable are updated, that file is changed. So, probably not a single one of the executables on the system will match those on the install media.
Re:reinstall everything from scratch. (Score:5, Informative)
and REALLY, how do you _really_ figure out what binaries were compromised on a linux system you could rescue with knoppix?
As I said above:
rpm -Va
put
Re:reinstall everything from scratch. (Score:2)
rpm itself can be compromised too , so there is no
guarantee whatsoever what it can show and what in reality
exists.
No, because you'll be using the rpm binary from the knoppix CD.
Re:reinstall everything from scratch. (Score:2)
My take on it is this, some people hack for fun, some people reinstall. This guy is the latter.
Ya' know, come to think of it, he might save some time by just running windows ME.
Re:reinstall everything from scratch. (Score:2)
but for achieving that there should be no problems at all, no need for a slashdot article. Just change the password back to something and copy the stuff out from it in an isolated network unless they can't just drop the hd somewhere else(where no code gets executed from it automatically, of course).
A web site (Score:2, Informative)
Other than that, starting off the install CD and resetting the password, as others mentioned before.
Re:A web site (Score:2)
Re:A web site (Score:1)
Same procedure (Score:5, Informative)
To boot to a shell using the install cd you have to go into open firmware and set OF to pass the -s option to the mach kernel. The darwin CD will give you the option to jump to a shell right off the bat.
Insert the Install CD (Score:3, Informative)
Check the logs too (Score:2)
Victim of It Own Success. (Score:1, Insightful)
But, this has already been predicted.
Re:Victim of It Own Success. (Score:2)
Re:Victim of It Own Success. (Score:2)
I think, I think I am, therefore I am, I think. [lyricsfreak.com]
make new admin account (Score:5, Interesting)
you will be dropped into command prompt.
Mount disks
mount
then remove this file
rm
note the '.' as it's a hidden file..
then just reboot
(reboot)
and you will walked through the first time Setup and Config dialogs just like it was a new machine.
This will allow you to create a new admin account and change the other users' passwords. (make sure not to create a user with the same shortname as another user)
note this is a good way to 0wn any Mac you can get physical access to..
Mod UP!! Re:make new admin account (Score:2)
Re:make new admin account (Score:1)
normally use it to reset a machine to out of box state after installing software for customer..
in addition to above info all you need to do is
rm -rf
nicl -raw
Re:make new admin account (Score:5, Funny)
<key>AppleSpam</key>
<string>NO</string>
At least they're honest.
Try SystemRescueCD (Score:1)
They have a PPC edition.
Some things to audit (Score:4, Informative)
You'd want to check these directories for anything you don't recognize are doesn't seem like they belong,
- same goes for
Now keep in mind that existing items can be modified, not just added. It's good to familiarize yourself with a base install. For anything that you don't recognize, check your Receipts directories to see if they were installed with some credibility.
You'd also want to check
You'd also like to examine dot-files and stuff. To make it short, there's a lot of places that shit can go in, but script kiddies aren't that smart and actions may be obvious.
Keep in mind that
To check your system without using it, you can always boot off of a OS 9 volume if your system supports that (it can fit on a CompactFlash card... with my old PowerBook I can at least boot from the PCMCIA slot). I also have 10.1 on another volume that's good for prodding my Panther system with.
NetInfo is a bit of a pickle to familiarize yourself with. Or at least, I haven't familiarized myself with most of the stuff in there yet
Anyway, none of this is a guaranteed way to find or fix problems, but it can reveal what's happened. If your system's been comprimised, your only recourse is to wipe it out. Don't even use your old User accounts, as dotfiles and ~/Library may have comprimised stuff. Keep it around with unknown:unknown ownership (and not in
No help now.. but maybe in the future... (Score:3, Interesting)
This doesn't help you much at the moment, but maybe sometime down the track, this may help you diagnose what was changed on your system.. (Subject, of course, to your logs being pushed off the compromised system as soon as they're generated, and maybe the attacker not noticing the auditing capability).
Red.
Re:No help now.. but maybe in the future... (Score:2)
Solaris BSM auditing
Can you elaborate on what this would mean to OS X users?
Firewire target mode... (Score:3, Informative)
If you think you were hacked than assume you were hacked. Boot up the machine in Firewire target mode, mount the drive on another mac, and copy over your Users folder.
Re-boot your machine and install from scratch and then re-install you applications. You can then copy the Users folder back over and create your users. OS X should set the permissions correctly on the folders in Users if you use the same usernames (IIRC). It's the only way to be sure...
Target disk mode + disk image (Score:5, Informative)
At this point, you should recover all of your user data to an outside volume, either on the known good Mac or on a CD-R or network volume. If you want to do forensics on the compromised Mac, create a disk image from the compromised Mac's hard drive (warning - this may take up a lot of space). This will preserve everything from that machine in a way that can easily be mounted and studied. Put the compromised Mac away as evidence and do your examination from the disk image.
Log files are your friends. However, a good rootkit will include ways of deleting telltale info from log files. Another problem is that the prebinding process will alter binaries in different ways depending on the machine and the amount of RAM. The right way to do a comparison between the compromised machine and a known good machine is to use an identical machine (same model, same amount of RAM) and bring the system up to the same set of updates. Then you can useto create CRC32 checksums of the
To get the compromised Mac up and running again, you can't count on fixing everything in place. It's too easy to miss something that's been trojaned. You need to do an erase and install on the compromised Mac, re-install all of your applications, re-create the user accounts, then copy back the data that you backed up earlier. Be careful if some users have installed apps inside their home dirs that you re-install those fresh, as they may have been attacked as well. Also be sure to run a virus scanner on user files before restoring them to catch things like Word macro viruses.
Be careful of the users' login keychains, as the data in those may not be recoverable if the passwords were changed by someone who logged in as the users themselves. If the passwords were changed via an outside reset mechanism, such as an admin user or an install CD, then the old keychain passwords should still work.
Joel Rennich has a good account [afp548.com] of studying a compromised Mac OS X machine a while back on his website, afp548.com [afp548.com]. It's based on a little bit older version of the OS, but still good advice.
--Paul
FireWire Disk Mode (Score:2)
Prepare before and be a bit paranoid (Score:5, Interesting)
- separate datas, users accounts, my non Apple applications from system with 2 different partitions
- cleanly install the system and updates (stored on a separate drive) with no internet connection
- setup a temporary admin account during the install
- run a script (niutil, cp...) to recreate my environment (finally it's not that hard, just remember that users and groups are in netinfo and shadow passwords are stored in
/var/db/shadow/hash with the generateduids of the users) and drop the temporary account
- launch a complete replication of the system disk on an external (Emergency) drive (I currently use Mr. Bombich carbon copy cloner, but there are other solutions) which is useful to redo the first steps really fast (I mean 20 minutes from a drive, 30 minutes from my iPod which is becoming my "Emergency" drive). You can you the "rm local.nidb" trick to cleanly recreate the admin account
- go live.
This takes 2-4 hours with install from CDs, 1h from emergency drive.By the way, I also like to
- avoid the uid 501 admin
- replace the standard firewall (ipfw configured with ruleset from the SysPrefs) with a ruleset of my own (using the fantastic statefull feature, stealthing if necessary, explicitly closing ports I don't use to and from the computer, avoiding apps like MsOffice or Stuffit to call home) launched as a StartupItem
- check the basic security with nmap from the outside
- setup OpenFirmwarePassword and FileVault (sorry guys, physical access is not enough)
- check passwords are solid, currently with lcrack on shadow passwords
- make automatic backups of vital datas (thanks rsync) on external drive (and in my case my laptop which is then "in sync")
Of course, the second part is purely paranoid (except backups) as I'm not at all an interesting target (except if you want to read my code, discover my preferred films;-) but as I also do that for small companies I like (and occasionally work for), I feel a little bit more responsible and try it on my personal computer before deploying it for others.I also do that to learn a bit more what can be done as I'm not a sysadmin at all and not pretend at all being as pro as most of them.
Re:Prepare before and be a bit paranoid (Score:1)
Moral of the story is, there is always a way to get into a machine if you have physical access..
(although FileVault is a ver
One problem (Score:1)
Re:One problem (Score:2)
Sure I do. When my brother-in-law and my nephew come round for a session of Warcraft or Age of Mythology I have accounts setup for them to play with. That way I minimise the danger of either them or the games messing up my account.
I also have non-people user accounts setup on my machine: for example MySQL has its own account.
Firewire Target Disk Mode (Score:2, Informative)
I realize you may only have one Mac to work with, but if you have two, you may want to try out Firewire target disk mode [macosxhints.com]. It allows you to connect one Mac to another and use the first as an external disk. This is much more flexible than booting from the install CD.
Has anyone tried connecting a Mac in target disk mode to a PC with a Firewire card? Was the PC able to mount the Mac as an external disk? If you don't have another Mac, that may also work assuming the PC knows what to do with HFS filesystem.
Been there... (Score:2, Informative)
OS X is relatively easy to "r00t", by various means. Until recently, nidump passwd was a SERIOUS problem - weak passwords could be broken within <48 hours with john on a fast machine. OS X also provides quite a few ways to patch your own code into a machine once you've rooted it, too -
Tripwire-like functionality (Score:2)
Use the System Profiler to start (Score:2)
Do a search on created and modified dates including hidden files. This should show you any new stuff. Filter on known extensions..
Two possible solutions. (Score:3, Informative)
Download BootCD [charlessoft.com] which is an app to create a BootCD from a current working installation. This will give you at least a working Finder and BSD subsystem with which you can hack around with.
2)
If that isn't easy enough, the following will blow your boots off:
* The T key forces the PowerBook (FireWire) (and reportedly the Power Mac G4 (AGP Graphics), though I was unable to verify that on my machine) to start up in FireWire Target Disk Mode, which is essentially the modern equivalent of SCSI Disk Mode and enables a PowerBook (FireWire) to act as a FireWire-accessible hard disk for another Macintosh.
Too many options!
Re:Two possible solutions. (Score:2)
Go HERE: [jacsoft.co.nz]
http://www.jacsoft.co.nz/Mac_Keys.htm
For more reading on Open Firmware.
(One cool thing about Apple firmware: You can start a telnet server from within firmware! Wow!)
A summary of some steps to follow (Score:3, Informative)
The first thing is to connect another system either to the same hub or switch that you can capture packets from the compromised system. This will enable us to run a packet analyzer such as Ethereal to determine what network traffic is leaving the system. We need to do this incase of a program that is "phoning home" and when you take it off the network and subsequently it can't phone home it deletes itself or performs some other nefarious task.
When you are confident that no unusual network traffic is leaving the system we want to run a few commands that will not compromise the integrity of the system. Ideally not modify any file access times as well. What we are looking for are active processes, open files and if possible the contents of memory and the swap file. The output of these commands should be sent to a trusted remote system and the binaries themselves should come from a trusted source IE not the system you are working from. Make a CD with all of the commands that you intend to use (mount, lsof, top, ps, ssh for example). Before you run any commands on the system it is important that you have a game plan in place. Due to the nature of operating systems anything that you do at this stage can damage evidence that you may later need. But the list of open files can be critical in determining the extent of disruption to the system
After you have all the information that you can gather from the booted system the next step is to image the drive. Either via a drive duplicator (which you probably don't have) or using Disk Utility and imaging the drive. Boot the system into target disk mode holding the 'T' key at boot. You will know the system is in target disk mode when there is a blue screen with yellow FireWire icon. After it is in target disk mode connect it to another trusted Mac launch Disk Utility and image the drive (IMPORTANT: not the logical volume, the drive will have numbers in front of it) you want to make a READ ONLY disk image of the drive. It is important that for the remainder of the investigation you only work from the image of the drive.
When the drive has been imaged open the image on a known good system and inspect the log files. Ideally you will have other logs than the one on your system to examine. For example firewall logs of network connections to the compromised system. Look for file modification times that don't appear to be accurate
I apologize for the lack of detail in this post, I had to generalize many concepts into one brief memo. If time avails itself I will follow up with a more detailed post later. Good luck. And if you have any questions just ask.
Re:My girlfriend got Mac OS X spyware, somehow. (Score:3, Informative)
Re:My girlfriend got Mac OS X spyware, somehow. (Score:3, Interesting)
Re:My girlfriend got Mac OS X spyware, somehow. (Score:2, Funny)
Re:My girlfriend got Mac OS X spyware, somehow. (Score:2)
In any case, you can always compare the files you have with files you should have. This involves having a backup of files, and doing the compare with a known good media (such as a recovery CD).
I have absolutely no idea about Mac OS X, but at least on other Unix platforms you can cheat if you don't want a full backup
Re:My girlfriend got Mac OS X spyware, somehow. (Score:2)
Re:My girlfriend got Mac OS X spyware, somehow. (Score:5, Interesting)
http://daringfireball.net/2004/05/energy_saver
The easiest way to detect bad prefs is to create a new user and test the software in a new userspace. The new user will have fresh prefs and
Re:My girlfriend got Mac OS X spyware, somehow. (Score:2)
Yes, probably. The notable thing wasn't just that I couldn't change her homepage, but that it was set to some overture style search-shop-portal and I couldn't change it.
The popups, though, were what made me think she actually had some rogue process. But I've been wrong before. Whatever.
If it works in a new user and not in your old user, you have a prefs or
Wel
Re:My girlfriend got Mac OS X spyware, somehow. (Score:2)
The problem you encountered is fairly common on MacOS X, plists and prefs get
Re:My girlfriend got Mac OS X spyware, somehow. (Score:2)
Spyware on the mac doesn't exist in the same way that it does on PCs (and really what's being described is more adware than spyware, but whatever). There are unscrupulous programs out there, and they do transmit information about you that you might not want sent. For the quick and dirty method, try running Little Snitch sometime and keep an eye on connections. Most of the time it's just the software develop
Re:My girlfriend got Mac OS X spyware, somehow. (Score:2)
So in response to your pedantic definition of spyware, let's use the more appropriate term "malware," meaning the sort of gadgets that are so well known on Windoze web browsers, stuff that infests your machine through insecure Windoze mechanisms like ActiveX, and once installed, does stupid stunts in your browser, like push po
Re:My girlfriend got Mac OS X spyware, somehow. (Score:2)
Re:My girlfriend got Mac OS X spyware, somehow. (Score:2)
He's making arguments with gaping holes because he wants further response. Trolly troll troll.
Re:From prior experience with OS X (Score:2, Informative)