My MacBook has been hacked!

Discussion in 'macOS' started by spooky1980, Aug 16, 2007.

  1. spooky1980 macrumors newbie

    Joined:
    Aug 16, 2007
    #1
    Does anyone have an idea where the security hole is? My machine was exposed to the internet with personal file sharing and ssh open. My OS X is up to date and all updates are installed. I don't know right now what the guy did with my machine but have a look at the screenshot...
     

    Attached Files:

  2. Killyp macrumors 68040

    Killyp

    Joined:
    Jun 14, 2006
    #2
    If you've noticed any slowness about the machine:

    • Re-install OS X
    • Change all your passwords on everything you've ever logged into with that machine
    • Never leave SSH on again

    I'm completely over-reacting, but better safe than sorry IMO...
     
  3. kolax macrumors G3

    kolax

    Joined:
    Mar 20, 2007
    #3
    Umm, with File Sharing you need to know the username and password for the computer you want to access. I don't know much about File Sharing though.

    Security hole? There is no security hole. Looks like you've been clumsy and left the door unlocked.

    That's like leaving your car door open and saying there is a security hole in the car.
     
  4. spooky1980 thread starter macrumors newbie

    Joined:
    Aug 16, 2007
  5. Killyp macrumors 68040

    Killyp

    Joined:
    Jun 14, 2006
    #5
    Kilamite is right, leaving SSH on is like leaving your car door wide open, anybody can get in and do pretty much anything to the machine.

    It's not a security loophole, it's more like sending a hacker a remote desktop invitation in Windows, except it works...
     
  6. spooky1980 thread starter macrumors newbie

    Joined:
    Aug 16, 2007
  7. Killyp macrumors 68040

    Killyp

    Joined:
    Jun 14, 2006
    #7
    Not if they got in via Root (which they probably did).
     
  8. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #8

    They can brute force it. Check your SSH logs for rejected names and passwords.

    Start going through your logs for sudo commands, turn off SSH, and start checking your system files.

    How do you back up your system? Depending on how you backup your backups could be compromised too.

    Pay attention to this people. This is not a drill.

    The days of claiming OS X is secure is over.
     
  9. MacsRgr8 macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #9
    Passwords can be "guessed".

    SSH scans are very, very common on the 'net, and password dictionaries are used to try to attempt a break-in, in combination with "usual" names (root, admin, www, <English names>), and is called a brute-force attack.
    Letting your Mac be connected to the internet directly (so not behind NAT), with SSH open, "asks for it".
    If it is necessary to be directly connected to tah web with SSH open, you must use an outrageous password. Something like: LI*^&(GB(&!nDfr5 usually works.
    Serously, you must use a password which is not an English word, nor a combination of words etc. Simply substituting en "E" for a "3" or "o" for an "0", or "a" for "@" will not cut it!
     
  10. Doctor X macrumors newbie

    Joined:
    Aug 1, 2007
    #10
    Um . . . er . . . "SSH?":eek:

    --J.D.

    P.S. I do not allow any sharing, remote access, have the firewall up, et cetera. . . .
     
  11. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #11
    Proper use of SSH requires using a key. Not a password. Trusted hosts only.
     
  12. russell.h macrumors regular

    Joined:
    Jul 2, 2007
    #12
    I have had an ssh server running for nearly 2 years and have never had it hacked yet.

    1. Reinstall OS X
    2. Change passwords
    3. If you want to run ssh (which seems pointless on a laptop to me, but you know your situation better than I do) get DenyHosts. I'm sure its possible to make it work with OS X, try google. I use it on my Linux server, and have it configured to block any IP that tries 5 wrong user names or 5 wrong passwords (even it it gets the user name right). Before I installed it I was getting hit with random username/password combos every few seconds, but now aside from the occasional 5 login attempts followed by the IP getting blocked the only logins in auth.log are mine.

    To be honest, if a vulnerability wasn't exploited (if ssh is like other tools then Apple probably uses openssh, in which case you should try to see how far out of date the one in OS X is and see if any big vulnerabilities have been patched in the interim) then I have to believe that you were somehow socially engineered. The probability of someone guessing your username and your password is so incredibly low as to make the possibility hardly worth considering unless you have an incredibly easy password or someone just got incredibly lucky.
     
  13. MacsRgr8 macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #13
    Beat me by.... 1 second?!?
    :p
     
  14. Luis macrumors 65816

    Luis

    Joined:
    Jul 19, 2006
    Location:
    Costa Rica
    #14
    Apart from the things seen in the screenshot (the files etc) did something bad (as in lost info) actually happen?
     
  15. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #15
    Depends. If they got root access, none of will be logged, if I recall correctly.
     
  16. Luis macrumors 65816

    Luis

    Joined:
    Jul 19, 2006
    Location:
    Costa Rica
    #16
    So he wouldn't know what the hacker did?
     
  17. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #17
    If the hacker got root, the game's over. You'll have to image the hard drive to a spare, then comb through it for clues.
     
  18. ironjaw macrumors 6502

    Joined:
    May 23, 2006
    Location:
    Cold Copenhagen
    #18
    Can anyone explain what root access is? How do you turn it off or disable it etc?
     
  19. spooky1980 thread starter macrumors newbie

    Joined:
    Aug 16, 2007
    #19
    I checked my log files. But I could not find anything suspicious.
    My password is secure. (Random in the style of: leTTerswith*ä'#...)
     
  20. MacsRgr8 macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #20
    Well, in /var/log/secure.log an attempt by "root" and a successful login by "root" will be logged, but.... "root" can delete/edit these logfiles...
     
  21. MacsRgr8 macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #21
    Who is the onwer of those "weird" files on you HD?
    (Both in Finder, and in the CLI)
     
  22. yg17 macrumors G5

    yg17

    Joined:
    Aug 1, 2004
    Location:
    St. Louis, MO
    #22

    Wait....so your password is 10 digits, as in 10 numbers? And not characters. That would explain it. That's gotta be one of the easiest passwords to brute force
     
  23. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #23
    I missed where someone claimed that OS X wasn't susceptible to brute-force "let me guess your password" hacks.
     
  24. kolax macrumors G3

    kolax

    Joined:
    Mar 20, 2007
    #24
    Hoax or not, this thread has been really useful and interesting. Never knew the serve vulnerabilities of File Sharing and co.

    Not quite got my head around SSH - I've looked up on it on Wikipedia, but don't understand how it gets tied in to say using Starbuck's WiFi..?
     
  25. MacsRgr8 macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #25
    In short: the user "root" is the actual owner of the system (of all UNIX-es I think). User root can remove, delete... do absolutely anything to everything on your system.
    You as the "first-installed" user are an "admin" user, which gives you many rights (can install apps ect.) but not ALL rights.
    Check your Macintosh HD/System/ you will see in the Finder window that you do not have write access.
    User "root" is disabled in Mac OS X Client, and can be enabled by any "admin"-user, or by having physical access to the machine.

    Simple words of advice:
    Never enable "root"
    Don't allow SSH access
    Keep all FileSharing stuff off....
    .. until you're very sure of what you are doing.

    So, 10^10 possibilities EDIT >> not true.... it's less.... we know all 10 positions are used...

    For a computer that's tried in about 10 seconds.

    Having 10 character... a-z, A-Z, 0-9, !-) etc.... that's a different matter... ;)
     

Share This Page