From owner-freebsd-security@FreeBSD.ORG Fri Jan 7 04:29:24 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC93F16A4CE for ; Fri, 7 Jan 2005 04:29:24 +0000 (GMT) Received: from fed1rmmtao11.cox.net (fed1rmmtao11.cox.net [68.230.241.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53E3843D31 for ; Fri, 7 Jan 2005 04:29:24 +0000 (GMT) (envelope-from mcsjgs@cox.net) Received: from [192.168.1.100] (really [68.5.201.44]) by fed1rmmtao11.cox.net (InterMail vM.6.01.04.00 201-2131-117-20041022) with ESMTP id <20050107042922.NMPM28808.fed1rmmtao11.cox.net@[192.168.1.100]> for ; Thu, 6 Jan 2005 23:29:22 -0500 Mime-Version: 1.0 (Apple Message framework v619) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; format=flowed To: FreeBSD-security@FreeBSD.org From: JohnG Date: Thu, 6 Jan 2005 20:29:20 -0800 X-Mailer: Apple Mail (2.619) X-Mailman-Approved-At: Fri, 07 Jan 2005 13:40:23 +0000 Subject: Intrusion Suspected, Advice Sought X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2005 04:29:24 -0000 I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband connection. I have reason to think my system has been tampered with. Security features in Mac OS X have been left unlocked (Preference Pane - Users) even though a master lock has always been set in the Security Preference Pane. This locks all other important preference panes which could be tampered with. Also permissions have been reset at every boot in my working directory. I've worked on this machine for about 17 months, and I know its rhythms and what should be what. The permissions problem is persistent and new. I do not think I am being paranoid or alarmist. I have always had a NAT router, commercial firewall, and virus protection. The only thing I can think of is a hidden *nix program from a downloaded program (shareware/freeware) (I have scanned all packages for viruses). I am almost positive it did not come via e-mail. I say almost because I have been receiving odd e-mails that are totally blank and have no information I can find. Conceivably, it could have been a hacker. If so, that person was very skillful in getting in and only left small traces of poking around. I assume your advice will be to do a clean re-install of both system and programs. My question is how do I re-import the data from full backup (probably also containing whatever it is) without further jeopardizing my system? Any other advice, tips, or pointers to FreeBSD programs I could run on Mac would be greatly appreciated. John Scherb