OS X Security concern - got advice?

Discussion in 'macOS' started by HotCocoa42, Feb 14, 2007.

  1. HotCocoa42 macrumors newbie

    Joined:
    Feb 14, 2007
    #1
    First off, because most mac users rarely see the term 'security concern' in the same sentence as OS X, let me preface this post by saying when it comes to macs, I'm not a 'noob'. :) I like to think I know my stuff. I have programmed exclusivey on the mac platform for 13 years, I'm pretty familiar with the system.

    However, in all the years of using macs (long time), I have never been as freaked out as I currently am because of what happened tonight. I do realize that there are very few security concerns on OS X in terms of remote hacking. Saying you think your OS X system has been remotely hacked is kind of like saying you saw yeti, you're sort of just laughed at.

    Anyhow, long story short, I've had a few strange things happen recently, and in response I've done a bit of surface research on UNIX-based rootkits, checking system permissions, the existance of any mac trojans. I've gone to securemac.com and read all the info I could find. But then tonight when I was logging out, it appeared to be going slower than normal, and instead of seeing the usual user login screen pop up afterwards, all of a sudden the screen went black, and a single white line of text appeared. It listed the Darwin kernel version, asked for my login and password, and gave a prompt sign.

    At first I thought my system had crashed or something (kernel panic, maybe?) and this was the command line for Darwin- thats what it seemed to be. So I entered my information, the screen flickered, I caught a glimpse of my login panel behind that black window, and then black window once again took control and told me 'incorrect password'. Never in all my years of mac using have I had that happen. I've booted into single user mode before- this was not it. I'm fairly comfy in the terminal - this was not a bash shell.

    So when the screen appeared a second time, saying my password was incorrect, I unplugged my ethernet cable from the mac. Instantly a line of text printed out, saying something along the lines of UIEth0Disconnect or some such thing. And then the screen appeared again, locking me out of my own system. I tried my login and password for the third time, and of course it just said 'incorrect'

    Subsequently, I did a hard reboot of the mac, and upon restarting, I was presented with my normal login screen. I entered the same ol' password i've always had, and my mac launched as usual. I changed my password to a new one, but I can't help but be a little freaked out by this, simply because with all my experience on macs, something just does not seem right here.

    maybe I'm just flipping out and being paranoid. And please don't give me the usual 'macs are secure, don't worry' response ;) but if anyone has any feedback in terms of recent security notices about some kind of trojan daemon or startup app, or if they have had this happen to them as well, please let me know, it would make me a little less paranoid. :)

    Thanks~
     
  2. sunfast macrumors 68020

    sunfast

    Joined:
    Oct 14, 2005
    Location:
    London
    #2
    That sounds extremely curious. I'm afraid I'm not knowledgeable enough to give you any useful advice but I'd be very interested to hear what others have to say.
     
  3. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #3
    Sounds like you somehow dropped to a Runlevel 1 type of situation. I know runlevels aren't really applicaple to *BSD styles Unixes like Mac OS X, but its not inconcievable that something happened when you logged out that cuased a number of high level OS services to crash. You can actually (sort of) run Mac OS X as little more than just the kernel and a shell with most of the operating system unloaded. You get a simple prompt on an all black screen.

    I'd go digging through log files.

    IIRC, you can get into a similar state as this by issuing a halt command in a terminal window. Its not a very useful state, because once everything has been unloaded its not easy to get things running again without rebooting. I guess launchd doesn't have a facility for 'warm rebooting'.
     

Share This Page