How do I identify hackers?

Discussion in 'Mac Basics and Help' started by lazypoet, Oct 28, 2016.

  1. lazypoet macrumors regular

    lazypoet

    Joined:
    Jun 9, 2015
    #1

    Attached Files:

  2. ocabj macrumors 6502a

    ocabj

    Joined:
    Jul 2, 2009
    #3
    That only tells you what account has an open tty.

    The OP would simply need to audit all of the user entries. On a traditional *nix box, it would be as easy as checking /etc/passwd and /etc/shadow, but given OS X decided to use Open Directory to store system accounts, it is a bit more complicated.

    I would first do a: dscl . list /users shell | grep -v ''/bin/false'

    This should yield a list of users who do not have /bin/false for a shell.

    Any users account without /bin/false deserves further checking.

    Given standard OS X desktop or laptop, I would only anticipate there would be very few accounts not /bin/false'd.
     
  3. lazypoet thread starter macrumors regular

    lazypoet

    Joined:
    Jun 9, 2015
    #4
    Thanks for the tip :)

    I only got an empty line after typing that. Good news?
     
  4. ocabj macrumors 6502a

    ocabj

    Joined:
    Jul 2, 2009
    #5
    Not really. I don't know how you're own user account is /bin/false

    If you copy/pasted my original command, it did have one extra single quote which would result in a hanging shell command.

    Code:
    dscl . list /users shell | grep -v '/bin/false'
    On my own Mac Mini, I have:


    Code:
    $ dscl . list /users shell | grep -v '/bin/false'
    _mbsetupuser            /bin/bash
    _uucp                   /usr/sbin/uucico
    Guest                   /bin/bash
    ocabj                   /bin/bash
    root                    /bin/sh
     
  5. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
    #6
    _mbsetupuser /bin/bash
    _uucp /usr/sbin/uucico
    root /bin/sh

    We all have those, and unless we turned off guest account, we have guest too.

    Additionally, the ocabj is your login presumably, on my system it's called floris for example.
     
  6. lazypoet thread starter macrumors regular

    lazypoet

    Joined:
    Jun 9, 2015
    #7
    Right :) I did it again and now I got this:

    "
    _mbsetupuser /bin/bash

    _uucp /usr/sbin/uucico

    christoffervagnes /bin/bash

    christoffervagnes123 /bin/bash

    Guest /bin/bash

    root /bin/sh
    "
     
  7. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
    #8
    But they don't show underneath the users section of system preferences ?
     
  8. lazypoet thread starter macrumors regular

    lazypoet

    Joined:
    Jun 9, 2015
    #9
    Not the first two or the last two.
     
  9. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
  10. lazypoet thread starter macrumors regular

    lazypoet

    Joined:
    Jun 9, 2015
    #11
    But you just said we all have: "_mbsetupuser /bin/bash
    _uucp /usr/sbin/uucico
    root /bin/sh"

    So that leaves guest and my two user accounts right? Why is it worrying?
     
  11. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
    #12
    If you say

    christoffervagnes /bin/bash

    christoffervagnes123 /bin/bash


    These two users don't show as added users under system preferences > login >
    then that's worrying.
     
  12. lazypoet thread starter macrumors regular

    lazypoet

    Joined:
    Jun 9, 2015
    #13
    I meant the opposite. Thanks :)
     
  13. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #14
    There is a shareware that might fit into your paranoia called Little Snitch. Just think about it it is like a reverse firewall on outboard data!
     
  14. lazypoet thread starter macrumors regular

    lazypoet

    Joined:
    Jun 9, 2015
    #15
    Thanks for the tip :) I appreciate it!

    The reason for my paranoia is that I find that I have been getting more and more "fake people friend requests" on facebook, twitter and instagram. I just wondered why there are so many of them now (mostly babes) and not before.
     

Share This Page