From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 15:30:35 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A76CE16A4CE for ; Fri, 14 Jan 2005 15:30:35 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27DE743D1F for ; Fri, 14 Jan 2005 15:30:35 +0000 (GMT) (envelope-from af.dingo@gmail.com) Received: by rproxy.gmail.com with SMTP id r35so357639rna for ; Fri, 14 Jan 2005 07:30:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=FNsTtN2UBXjMwNkwBbW2XbkrXbl4otFx7i2CsajUdYHRaYb50CiFtbafqP6lyqOI2Qfm4rZfqz0/NWZPI9FS1q5Jpse01N+ziKlT7fuKGbousmERHy2lsxUjLzVDGsSjoUnS2tWFi4mj42C/5HfM7L27x7WdYhJbEKMYKYoiEYs= Received: by 10.38.151.15 with SMTP id y15mr45636rnd; Fri, 14 Jan 2005 07:30:34 -0800 (PST) Received: by 10.38.10.67 with HTTP; Fri, 14 Jan 2005 07:30:34 -0800 (PST) Message-ID: Date: Fri, 14 Jan 2005 10:30:34 -0500 From: Jeff Quast To: JohnG In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: cc: FreeBSD-security@freebsd.org Subject: Re: Intrusion Suspected, Advice Sought X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jeff Quast List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 15:30:35 -0000 On Thu, 6 Jan 2005 20:29:20 -0800, JohnG wrote: > I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband connection. > I have reason to think my system has been tampered with. Security > features in Mac OS X have been left unlocked (Preference Pane - Users) > even though a master lock has always been set in the Security > Preference Pane. This locks all other important preference panes which > could be tampered with. Also permissions have been reset at every boot > in my working directory. I've worked on this machine for about 17 > months, and I know its rhythms and what should be what. The permissions > problem is persistent and new. I do not think I am being paranoid or > alarmist. I have always had a NAT router, commercial firewall, and > virus protection. > > The only thing I can think of is a hidden *nix program from a > downloaded program (shareware/freeware) (I have scanned all packages > for viruses). I am almost positive it did not come via e-mail. I say > almost because I have been receiving odd e-mails that are totally blank > and have no information I can find. Conceivably, it could have been a > hacker. If so, that person was very skillful in getting in and only > left small traces of poking around. > > I assume your advice will be to do a clean re-install of both system > and programs. My question is how do I re-import the data from full > backup (probably also containing whatever it is) without further > jeopardizing my system? Any other advice, tips, or pointers to FreeBSD > programs I could run on Mac would be greatly appreciated. > > John Scherb Try the tools lsof and netstat to examine all open files and sockets for anything suspicious. However, I too have had subtle permission problems with Mac OSX, and I too do not think there is any real reason for concern. -- :wq!