I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband connection. I have reason to think my system has been tampered with. Security features in Mac OS X have been left unlocked (Preference Pane - Users) even though a master lock has always been set in the Security Preference Pane. This locks all other important preference panes which could be tampered with. Also permissions have been reset at every boot in my working directory. I've worked on this machine for about 17 months, and I know its rhythms and what should be what. The permissions problem is persistent and new. I do not think I am being paranoid or alarmist. I have always had a NAT router, commercial firewall, and virus protection. The only thing I can think of is a hidden *nix program from a downloaded program (shareware/freeware) (I have scanned all packages for viruses). I am almost positive it did not come via e-mail. I say almost because I have been receiving odd e-mails that are totally blank and have no information I can find. Conceivably, it could have been a hacker. If so, that person was very skillful in getting in and only left small traces of poking around. I assume your advice will be to do a clean re-install of both system and programs. My question is how do I re-import the data from full backup (probably also containing whatever it is) without further jeopardizing my system? Any other advice, tips, or pointers to FreeBSD programs I could run on Mac would be greatly appreciated. John Scherb
I guess I fail to see where your actual evidence for concern is? Can you specifically tell us what you have seen with reason to believe it was caused by some form of an intruder? Permission problems can occur on their own with OS X. And never forget about programs doing their own bidding after you authenticate. If there was a violation of your wanted effects, I would believe it was a program you installed personally and not an outside intruder. From your scenario, I really doubt you have been compromised, and unless you have a very important computer, I don't think you would be getting attacked to begin with on an OS like this. I haven't heard of any Mac OS X worms or anything like that. -Mark On Jan 6, 2005, at 11:29 PM, JohnG wrote:> I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband > connection. I have reason to think my system has been tampered with. > Security features in Mac OS X have been left unlocked (Preference Pane > - Users) even though a master lock has always been set in the Security > Preference Pane. This locks all other important preference panes which > could be tampered with. Also permissions have been reset at every boot > in my working directory. I've worked on this machine for about 17 > months, and I know its rhythms and what should be what. The > permissions problem is persistent and new. I do not think I am being > paranoid or alarmist. I have always had a NAT router, commercial > firewall, and virus protection. > > The only thing I can think of is a hidden *nix program from a > downloaded program (shareware/freeware) (I have scanned all packages > for viruses). I am almost positive it did not come via e-mail. I say > almost because I have been receiving odd e-mails that are totally > blank and have no information I can find. Conceivably, it could have > been a hacker. If so, that person was very skillful in getting in and > only left small traces of poking around. > > I assume your advice will be to do a clean re-install of both system > and programs. My question is how do I re-import the data from full > backup (probably also containing whatever it is) without further > jeopardizing my system? Any other advice, tips, or pointers to FreeBSD > programs I could run on Mac would be greatly appreciated. > > John Scherb > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"
On Thu, Jan 06, 2005 at 08:29:20PM -0800, JohnG wrote:> I've worked on this machine for about 17 > months, and I know its rhythms and what should be what.It doesn't sound like you have a lot of evidence for a deliberate intrusion versus a system anomoly, but let's entertain the notion for a bit. - The most likely attack vectors are not remote active attacks--you are, after all, firewalled and not running any listening services, right?--but rather a variety of passive attacks: trojans, Web-based attacks, etc. As in the case of the telnet://, disk://, help://, etc URI handler vulnerabilities, it is possible for a malicious Website to execute arbitrary code when you visit it - If an attacker wanted to preserve access, he'd almost certainly install a backdoor. There are certainly ways to install a network backdoor on a machine that doesn't have remote access facilities without adding an obvious listening service, but since you're behind a firewall, it's hard to imagine this happening, especially for a relatively low-value target as your desktop PC (unless you're not telling us something about your day job--are you a narc or something? ;) In other words, the likely scenario here is a passive attack as the initial intrusion, with a very sneaky backdoor as the follow up. It's hard to imagine this combination; why go to such trouble for a target likely to be %5 of your hits (unless you're a Mac site or something), a large chunk of which wont be vulnerable anyway? It just strikes me as improbable. Anyway, to regain confidence, your best bet would indeed be a reinstall, but your primary concern (barring buffer overflows via specially crafted documents, etc) should be executables. If you do an archive reinstall and replace all your third party apps, you'll replace all those without losing your documents, and you're most likely pretty safe. Another proactive approach is to use something like Samhain, AIDE, or Tripwire--a Host-based Intrusion Detection System. They should work as well on OSX as they do on FreeBSD. Sorry for the off topic thread, folks. But I was hoping I could be of a little bit of service. -- Dan
On Thu, 6 Jan 2005 20:29:20 -0800, JohnG <mcsjgs@cox.net> wrote:> I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband connection. > I have reason to think my system has been tampered with. Security > features in Mac OS X have been left unlocked (Preference Pane - Users) > even though a master lock has always been set in the Security > Preference Pane. This locks all other important preference panes which > could be tampered with. Also permissions have been reset at every boot > in my working directory. I've worked on this machine for about 17 > months, and I know its rhythms and what should be what. The permissions > problem is persistent and new. I do not think I am being paranoid or > alarmist. I have always had a NAT router, commercial firewall, and > virus protection. > > The only thing I can think of is a hidden *nix program from a > downloaded program (shareware/freeware) (I have scanned all packages > for viruses). I am almost positive it did not come via e-mail. I say > almost because I have been receiving odd e-mails that are totally blank > and have no information I can find. Conceivably, it could have been a > hacker. If so, that person was very skillful in getting in and only > left small traces of poking around. > > I assume your advice will be to do a clean re-install of both system > and programs. My question is how do I re-import the data from full > backup (probably also containing whatever it is) without further > jeopardizing my system? Any other advice, tips, or pointers to FreeBSD > programs I could run on Mac would be greatly appreciated. > > John ScherbTry the tools lsof and netstat to examine all open files and sockets for anything suspicious. However, I too have had subtle permission problems with Mac OSX, and I too do not think there is any real reason for concern. -- :wq!