"hacker" has deleted files in my PowerBook under Mac OSX 10.4.5

Discussion in 'macOS' started by achtung!, Mar 7, 2006.

  1. achtung! macrumors regular

    Joined:
    Aug 21, 2005
    Location:
    Portugal
    #1
    hi all! today, my powerbook g4 was hacked and i've lost 30gbs of data from my hard drive while i was connected throw the wireless connection of my college.

    the technicians try to track down who have fuc**d up my PB files, but without sucess. we search under the few mac logs, we've found that it could be an operationg system flaw from February 28, a "program" called "samba" or similar that was working on the background and was sharing all my hard-drive by itself without i have notice! i didn't have an administration password! i've done all the security updates before this happens!!

    question 1: could someone confirm me that what i described is true? someone with something similar?

    question 2: how can ia get rid of that "samba" stuff, i don't have noticed that application in my PB

    question 3: is there any way that i could recover the files that were deleted?

    thks guys for the time, 'im waiting quick answers
     
  2. CanadaRAM macrumors G5

    CanadaRAM

    Joined:
    Oct 11, 2004
    Location:
    On the Left Coast - Victoria BC Canada
    #2
    Samba (SMB file sharing) is a normal part of your OS, and is operational only when you have "Windows Sharing" turned on in your Sharing System Preference. It doesn't do it 'by itself', somebody would have had to turn it on, on your machine.

    Your chances of recovering deleted files is poor. You can try the program DataRescue II.
     
  3. achtung! thread starter macrumors regular

    Joined:
    Aug 21, 2005
    Location:
    Portugal
    #3
    the technician remotely connected to my machine to see some logs and it has told me that i was with samba on!! i was sharing the disk! but all my sharing atributes were off! web, personal sharing and that stuff in system preferences were off! i can guarantee you that!!
     
  4. portent macrumors 6502a

    Joined:
    Feb 17, 2004
    #4
    How, exactly, did the technician remotely connect to your machine?

    However the tech did it, that's probably the "hole." If a technician can get through (say, using SSH, also calledRemote Login) then so can a hacker.

    Why not? If its your computer, then you should have set the admin password when you first got it.
     
  5. achtung! thread starter macrumors regular

    Joined:
    Aug 21, 2005
    Location:
    Portugal
    #5
    he remotly connected to my machine after i give him permissons, by giving him my adress, and by activating apple remote desktop and remote login so he can see my logs, 'cause he wasn't by my side, i was talking with him by phone! i know have done wrong without adding a password, but i wasn't share my disk, i never share my disks, i thought it wasn't necessary!! in theory it would not be necessarity! but i know it's all theory! i'm just looking for some answers from you guys. i know that will be hard or impossible to recover my files. i just want to have more shure of what has happened! i know that whatever happen was made manually, it wasn't something with a timer so that he could delete files in a especific date, 'cause the 30gbs that were deleted were manly my work. the mp3 and all the sh*t stuff that we usually have on the disk and all the applications remain intact. thks you guys for the replys
     
  6. CanadaRAM macrumors G5

    CanadaRAM

    Joined:
    Oct 11, 2004
    Location:
    On the Left Coast - Victoria BC Canada
    #6
    the process smbd is running when I have Windows Sharing on, it quits when I unclick the System Preference for Windows Sharing.

    The fact that Samba software is present on your hard drive is normal, and that fact itself does not indicate that your machine is open or compromised.

    There was an update to Samba in the 2005-003 Security Update with closed some vulnerabilities with Samba -- buut you say you have kept up to date with Software Update.

    Do you ahve the machine in a locked area, or can anyone access your room and your machine? If you have not made a login password, then anyone with access to your machine (physically) could have done anything.

    Not assigning an Administrator password is a poor decision.

    You realize, that we will not be able to tell you anything about what really happened? If you are running a machine with no security... no firewall... no password... it could possibly have been anything or anyone.
     
  7. puckhead193 macrumors G3

    puckhead193

    Joined:
    May 25, 2004
    Location:
    NY
    #7
    what is Samba and how do i know if its running or not :confused: :eek:
     
  8. achtung! thread starter macrumors regular

    Joined:
    Aug 21, 2005
    Location:
    Portugal
    #8
    nobody got near my powerbook, i was in the room all the time, the only way to acess it was by wireless. by the way CanadaRAM i will able to restore up to 9 GB of data from the deleted files, with datarescue! thks a lot for the tip! you're the man!

    i aprecciate you guys support, and YES i have already set an administration password. :D i'm just concerned if this could happen again!!
     
  9. treblah macrumors 65816

    treblah

    Joined:
    Oct 28, 2003
    Location:
    29680
    #9
    Open System Preferences and type Samba into the search box. That will take you right to Windows File Sharing and you can see if it is ticked or not.
     

Share This Page