PDA

View Full Version : Need Help with Terminal, NVRAM, and Mac Address




macsrules
Feb 26, 2008, 04:33 PM
Hello I need help! Someone hacked my Apple about three weeks ago when I opened up a port to download a file through IRC Chat and since then I have learned a ton about securing the mac. The first thing I did was reset the NVRAM, Reset the Firmware, Repartitioned the Hard Drive, Zeroed it out seven times, Set a firmware password, Reinstalled the operating system, set a master root password, set up the normal Admin Account and then created my own user account. One of the things that happened was that my Mac Address was released. The reason I no this is the firewall log showed it. Now, I used the terminal command sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff command to create a fake Mac Address for my ethernet card and it worked because my router showed the fake address but here is the problem I have. Since the Mac Address is built into the ethernet card, on the reboot it clears out. How do I install this terminal Command Down in the NVRAM so that it will boot everytime the computer starts up showing the new mac address? Do I install it in the NVRAM or Is there an easier way, maybe create a shell script? If so, how do I write it? How do I install it so on the reboot it is one of the first things to load? Thanks for your help in Advance? Please email me your solution if you have one or post it and send me a link.

Thanks,
macsrules



Cromulent
Feb 26, 2008, 04:38 PM
How do you know your Mac was hacked? What were the symptoms?

Someone knowing your Mac address should not be much of a problem. There is little (if anything) you can do with it. Why did you repartition your drive? Your drives partition map also has little, if anything to do with the security of your system.

macsrules
Feb 26, 2008, 05:02 PM
Because their Icon Kept popping up in the shared side of the window. I ran root kit and it told me root permissions had been changed. Then they came in a week later after getting a new modem and router and doing the reformat. They came in through an old laptop pc with no security. They popped up on my dads mac mini in the shared side of the window and Time Machine kicked on thinking it was an external hard drive hooked up to the mac, it asked if I would like to use this as an external and I saw his pc icon. Why did I repartition, just incase he put a hidden partition on the computer and or installed something. The Mac Address Identifies your computer on the network and I want it changed since this guy has it.

yellow
Feb 26, 2008, 05:03 PM
The MAC address is hardcoded to your NIC. You cannot change it on your Mac and have it stick.

If you are talking about the MAC address of your wireless card and your wireless router and you're using MAC address filtering, then you need to stop using that and start using WPA(2) to secure the network. MAC address filtering and SSID hiding are worthless forms of wifi "security".

macsrules
Feb 26, 2008, 05:07 PM
I know that it is hard coded, That is what I said in the Original Post. However, you can use this command to change it, sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff The problem is like you say the original one is hard coded. I want to install this terminal command either down in the NVRAM or have a shell script boot this command at startup. I don't know how to write it or do it or I would do it myself

Cromulent
Feb 26, 2008, 05:09 PM
The Mac Address Identifies your computer on the network and I want it changed since this guy has it.

Well, you can't. As already mentioned the MAC address is hard coded into the hardware.

Edit : Taking into account your above post, that little software trick of hiding the MAC address is not really going to help. MAC addresses are not needed to hack a machine. All you need to know is the IP address. Most applications use sockets which only use MAC addresses at the operating system level and as such are hidden from the program itself.

macsrules
Feb 26, 2008, 05:17 PM
If you run this command, sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff, It will change the computer reference to the NIC Card Internal Mac Address however it won't stay there when you restart your computer because the Nic Card is Hard Coded.

And Yes, I understand the Mac Address is Hard Coded into the Card.

Now, I want either a Shell Script or Have this Terminal Command install in NVRAM so that when I do reboot, this Terminal Command is one of the first things to launch. sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff, I don't know how to write it, thats what I was hoping to find, someone that knows Unix and the Terminal.

yellow
Feb 26, 2008, 05:21 PM
From what I remember, it doesn't actually work. When someone externally looks at the MAC address of the machine (e.g., on the router), it still replies with the correct (hardcoded) MAC address.


Now, I want either a Shell Script or Have this Terminal Command install in NVRAM so that when I do reboot, this Terminal Command is one of the first things to launch. sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff

The NVRAM doesn't work like that. It will have to be a startup script in /Library/StartupItems/.

Terminal Basics:
http://osxfaq.com/Tutorials/LearningCenter/index.ws

Shell scripting basics:
http://developer.apple.com/documentation/OpenSource/Conceptual/ShellScripting/Introduction/chapter_1_section_1.html

And as noted, having the MAC address of your Mac doesn't really help someone to hack your computer.

macsrules
Feb 26, 2008, 05:28 PM
From what I remember, it doesn't actually work. When someone externally looks at the MAC address of the machine (e.g., on the router), it still replies with the correct (hardcoded) MAC address.


1. On my router it shows the Mac Addresses of the computer on my network. When I went in to the router to look after using that terminal command, the router identified the Mac that I changed the Mac Address on with the new one that I created and not the Hard Coded One, So I am assuming that it is working.


2. You say it needs to be placed into the /library/startupItem/

How do I write a Terminal Script that will run this Terminal Command on Launch?

jeremy.king
Feb 26, 2008, 05:31 PM
Sounds to me like someone is just using your wireless network. The sharing section of the Finder sidebar shows any available network "server," not what is connected to you.

Overreaction?

macsrules
Feb 26, 2008, 05:36 PM
No knock on you but people are amazing too me. Unless people experience something for themselves they tend to discount what they have not gone through. Anyway here is the link to the article on doing the Hard Coded Nic Change http://www.macosxhints.com/article.php?story=20031102075234315

jeremy.king
Feb 26, 2008, 07:54 PM
No knock on you but people are amazing too me.

Right...we have no idea what we are talking about. :rolleyes:

Hope your hacker won't find your new MAC address - http://www.macosxhints.com/article.php?story=20080119114003330

Looks like I am being hacked by 3 machines!

alaceo
Feb 26, 2008, 09:25 PM
macsrules,

Before you ignore what people are telling you and think we don't understand, you may first want to look at what they're saying. Like kingjr3 said, it just sounds like someone is just on the same wireless network as you. If this is so, lock them out with WPA or WPA2. If you did get hacked, then securing your system is not too hard. You seem to have severely overreacted (basing on all the acts you took) to this and from what it sounds like, you may not quite know what you are doing (no offense).

For one, your permissions can be changed by many things. Secondly, as many others have said, changing your MAC address is not going to help your security at a level as you'd like...if at all.

Also, just leave the entire topic of NVRAM alone, it's not going to help you with anything you're aiming for.

And this is not meant as offensive, but if you can't even write a BASH script to automatically execute your command to spoof your MAC, you probably shouldn't be performing said action.


If you're still going to ignore everyone's advice, read up on BASH programming to change your MAC automatically.

macsrules
Feb 26, 2008, 10:45 PM
alaceo,

(*) Your right I can't write Unix yet. Most of my time has been focused on learning PHP, till the last two weeks.

As far as that guy kingjr3 I am convenced he knows how to turn on the computer but that the extent of his help. The original post that I made works all he did was repost what I had up there. And your screen shot was funny, yours comes from a closed network I am guessing, anyway no more advice please.

(*) Alaceo, getting back to your reply. You are right I am forced now to learn security and you sound like you know what you are talking about.

Please fill in the gaps of security that I have I am listening.

Also, you are right I don't know the Unix core. I don't claim too, that is why I posted here, to find people that are further down the road than me. I do want to do this though "read up on BASH programming to change your MAC automatically." Can you point me to a web page that will teach me how to write the bash script?

Cromulent
Feb 27, 2008, 07:24 AM
As far as that guy kingjr3 I am convenced he knows how to turn on the computer but that the extent of his help. The original post that I made works all he did was repost what I had up there. And your screen shot was funny, yours comes from a closed network I am guessing, anyway no more advice please.

If you are not willing to accept the help being given to you then what is the point in asking? He made a very good point in saying it was probably just someone using your wireless network to get on the web. It really is very common.

alaceo
Feb 27, 2008, 09:23 AM
Honestly, I believe it's just someone accessing your wireless network. They probably aren't going after your Mac at all. The chances they even got into your computer are pretty slim if you have a decent password and had your firewall enabled. However, I'll give you some basic security tips and something for BASH anyway as you asked.

For a Mac, there really isn't a whole lot you need to do. You may think this list is amateur, but trust me, it's all you should really need.

1. (and most important at this point for you) Secure your wireless network! Go into your router settings (while you're in there, make sure you've set your own password and it's not factory default), then change your wireless security to either WPA or WPA2. Make sure to give yourself a good password with letters, numbers, and preferably some capital letters as well. This will make the password harder to crack.

2. Enable your firewall. Keep it on and close whatever open ports when you're not using them if you're really concerned.

3. Have a good user password on your Mac account.

4. Make sure to keep your file sharing turned off or limited to Read/Write to only your accounts.

5. Don't click on or download things that could be malware.


If you're still inclined to spoof your MAC, which I advise against:
For BASH scripting, here is a link to a Google search I did with the term "BASH programming" which provides many options.
http://www.google.com/search?hl=en&q=BASH+programming&btnG=Google+Search

macsrules
Feb 27, 2008, 09:30 AM
Cromulent,


I am not closed off and do accept advice but most everyone did not answer the question, Alaceo started too at the end of his last post. Maybe it was not clear on my part, the question, so I will try for the last time.

I want to load that Terminal command every-time my Mac Boots Up. Alaceo says that it is a "Bash Command" Okay, then how do I write the command to tell the Mac to boot that script on Startup? Where do I put that script? Is it in a hidden file on the Mac? Does the file need a certain extension? Is the file entered through the Terminal or do I write it in a text file and save it with a certain extension? Or can I use automator to write it, and if so what do I save the file as and where do I put it?

I know that I can go get a utility from Version Tracker that will do this for me but I don't want to install something that I don't know where it is going.

There is already a command that works in the terminal, I just need to set it up to boot every-time the computer starts up.

This is as clear as I can write the question.

Macsrules

yellow
Feb 27, 2008, 10:16 AM
Kingjr3's post was NOT a repost of what you linked. What you linked was from 2003 and was pertinent only to Panther (and subsequently Tiger). What Kingjr3 posted was how to make this work in Leopard.

Beyond that, there's no need for all the snide comments. Despite what people have been trying to tell you in this thread, you don't seem to want to read and understand. You have been impossibly hacked and that's the story you're sticking with. Fine.

In order to do what you want (write a shell script that gets invoked at startup), you will have to understand the basics of how the Terminal works and then the basics of how to turn that understanding into a shell script. ONCE you have a working shell script, THEN worry about where to put it.

I already gave you all the information that you need last night, but I guess I have to quote myself:


Terminal Basics:
http://osxfaq.com/Tutorials/LearningCenter/index.ws

Shell scripting basics:
http://developer.apple.com/documentation/OpenSource/Conceptual/ShellScripting/Introduction/chapter_1_section_1.html



Caveats:

Please be aware that if you purchase music from iTunes, doing what you want to do might interfere with your ability to play said music.
What you are doing works ONLY with en0, your WIRED network interface.
I still think what you are describing is an issue with your wireless security. If you are behind a router, then it's highly unlikely that someone 'broke in' and did these things to your computers as the router has NAT built-in. It's far more likely that the attack is local. Deaf ears, I know.

alaceo
Feb 27, 2008, 02:52 PM
Yellow actually answered your questions in the post he just quoted - check it out.

Read the tutorials on how to change your command into a shell script and you'll be fine. We've given you all the tools you need, but you have to figure out how to use them. It's unlikely any of us are going to write it for you, just read what we've all said and read the tutorials myself and Yellow have linked you to.

macsrules
Feb 28, 2008, 12:45 PM
Thanks Yellow and alaceo,


Originally I was hoping that someone would have posted the answer for me so I would not have had to do the work, the easy way of course but I am now glad they did not. I have been working through the tutorials that Yellow pointed too for the second time and Alaceo restated. It finally sunk in. :) Anyway, I have learned a ton so far from the tutorials on the terminal and it is not as difficult as I thought it would be, it is kind of like the finder but everything is done through the keyboard. Meaning Navigation, Creating files, viewing files. It is also neat how you can run the history command and see all the command that have been input. I have not got to the point of knowing where to create the file and put it but when I do I will post my solution for whoever might want it too. Anyway thanks again.

MacsRules

MrStevieP
Feb 28, 2008, 01:44 PM
Just to echo a previous comment, changing MAC addresses can affect programs adversely, especially commercial/professional programs that use the MAC as the basis of a copy protect. Its generally a very bad idea, so unless absolutely necessary avoid it.

Also, be aware that you can "potentially", although its not likely run into routing issues if you have 2 computers with the same MAC on the same network. This is the reason manufacturers hard code a MAC in to guarantee uniqueness. Again, before I get flamed, i know its unlikely, but you have been warned!!!! :)

Finally, just to add my two cents, in addition to using WPA or whatever as your security protocol, why not turn on MAC address filtering and disable your SSID broadcast. That way no one will see your network, without some serious hacking tools, and no one will be able to connect unless they are spoofing one of your known MAC addresses (v. unlikely unless your machine has been physically compromised, in which case may i suggest new locks for your home ;-). This would be much more effective, less prone to adverse effects and easier to setup than changing your MAC. Of course, you could have also bought yourself a new USB network card to achieve the same result....

Anyway, my point is with WPA(2), MAC filtering and SSID broadcast off, you are not going to be hacked unless you have some pro hacker who really needs to get something off you machines. So unless you have the complete documented account of the Roswell incident or access codes for area 51 on there you should be fine...

macsrules
Feb 28, 2008, 08:49 PM
MrStevieP your response was pretty funny made me laugh. I needed that, thanks.

Actually I left out a big part of the story that I should have probably included at the start. I went on a torrent site. There was a torrent that someone had posted saying, you ever get tired of downloading from limewire because it is so slow IRC is the way to go. The torrent was instructions on downloading through IRC. This person said when in the room, go to the blue bots at the top and download from them. This room had probably 50 people in it and I am sure that most all of them knew what those bots where. I downloaded a file from one of them and that was how he got in. It was funny, When the IRC Client was requesting the file, there was a wait and he had a sound that whistled at you telling you when it was ready to go. Basically I was stupid! Anyway, that's how he got into my computers. I know it looks like I over reacted. After pushing his icon off three times I ran OS X Rootkit on my computer and it showed where the root permissions had been compromised. What a mess.

yellow
Feb 29, 2008, 10:00 AM
I ran OS X Rootkit on my computer

You ran what?

This thing?

"OS X Rootkit Hunter"?

I wouldn't put too much stock in what it tells you.

macsrules
Feb 29, 2008, 10:40 AM
You ran what?

This thing?

"OS X Rootkit Hunter"?

I wouldn't put too much stock in what it tells you.


Yellow,

Maybe your right. I started thinking after I used this software since it is open source it could be bad and I don't have enough programming skills to look into the software packages to know what I am looking at and what it is installing. I do know this though.

1. I have never had a problem with any of my computers till I opened IRC port per the instructions that I downloaded and then downloading from the bots that guy recommended. (Again my fault) If there was a computer tied to me in the background before this it never showed up in the past. (also file sharing on my computer was turned off)

2. After this person logged onto my computer twice and me pushing his Icon off, I thought he was gone. I left my computer for an hour and when I came back he was logged on again. (that is when I started educate myself about the basics of computer security)

3. This was when I found this piece of software http://www.christian-hornung.de/ and ran Rootkit OS X.

All I know is that this software confirmed what I was seeing on my computer. After running it, It gave allot of warnings and one major one that my root permissions had been compromised and changed.

I have done everything I can except replacing the ethernet cards with new one or getting a new computer.

I know there is no perfect solution if someone really wants to get in and they have the hacking tools and skills but that does not mean I have to open the door like I did in the past.

yellow
Feb 29, 2008, 10:45 AM
For future reference, simply reinstalling the OS would have sufficed. A complete reinstall would have wiped all traces of possibly compromised files. Or, if you have a good backup system, simply moving back to the last known good backup.