My ARDAgent may have been hacked. Have I fixed it correctly?

Discussion in 'Mac Basics and Help' started by GanChan, May 19, 2010.

  1. GanChan macrumors 6502a

    Joined:
    Jun 21, 2005
    #1
    ARDAgent modificatioon came up when I was repairing permissions:

    Warning: SUID file "System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent" has been modified and will not be repaired.

    I followed Macworld's advice and created a zip file of ARDAgent, then trashed the original. I will hang onto the compressed file until Apple comes up with a patch for this problem, but as I understand it, with no ARDAgent running I've solved my remote access vulnerability. So am I okay now, or should I do other stuff like wip my hard drive, etc, just to be sure?...It sounds like it comes from malware attached to a downloaded application, not from a virus, so theoretically I could reinstall OSX and reinstall just my CD-installable apps....

    One glimmer of hope: When I typed "Whoamai" in Teminal, it gave me my admin name and not "root." So maybe I'm not totally screwed just yet....
     
  2. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #2
    Going against some others who I am sure will post here, the SUID message is expected and according to Apple it can be ignored.

    http://support.apple.com/kb/ts1448

    The article is talking about a vulnerability that exists in ARD. The Disk Utility message has nothing to do with the malicious software and thus there is no need to wipe your drive, nor in fact do anything.

    I am not able to replicate the circumstances under which the bug was found in 10.6.

    I think you should carefully read about this bug, I don't think you are understanding how it works or how it can do damage.

    "whoami" is supposed to return the user logged into the shell. It was the fact that you can tell ARDAgent to do things without admin privileges. Again, read the article carefully and the original Slashdot article.
     
  3. GanChan thread starter macrumors 6502a

    Joined:
    Jun 21, 2005
    #3
    Interesting. Well, I can always unzip and reinstall ARDAgent...but the truth is, I never use remote access anyway. If leaving ARDAgent off my Mac closes a potentially troublesome security hole, I'd have no problem with that.

    Thanks.
     
  4. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #4
    What OS are you running?

    This issue does not exist in 10.6. The issue existed in 10.4 and 10.5.4, it was fixed in a security update, confirmed by this article from August 2008 http://db.tidbits.com/article/9720, the ARD hole was fixed in Security Update 2008-005.

    As noted here in the Apple KB:

    There is nothing to worry about at this point and the SUID message is expected and safe according to Apple.

    If however, Disk Utility reports a permissions problem with ARD outside of the SUID message you should be concerned.

    To reiterate: The SUID message given by Disk Utility does not mean your ARDAgent has been hacked nor does it mean you are vulnerable.
     
  5. ploth macrumors newbie

    Joined:
    Jul 21, 2009
    #5
    I'm on 10.6.3 and get this message. I am trying to troubleshoot why time machine keeps slowing my machine down to a stop while it is backing up.
     
  6. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #6
    That message has nothing to do with your Time Machine problem.
     

Share This Page