My MacBook has been hacked!

spooky1980

macrumors newbie
Original poster
Aug 16, 2007
4
0
Does anyone have an idea where the security hole is? My machine was exposed to the internet with personal file sharing and ssh open. My OS X is up to date and all updates are installed. I don't know right now what the guy did with my machine but have a look at the screenshot...
 

Attachments


Killyp

macrumors 68040
Jun 14, 2006
3,864
3
If you've noticed any slowness about the machine:

• Re-install OS X
• Change all your passwords on everything you've ever logged into with that machine
• Never leave SSH on again

I'm completely over-reacting, but better safe than sorry IMO...
 

kolax

macrumors G3
Mar 20, 2007
9,194
115
Umm, with File Sharing you need to know the username and password for the computer you want to access. I don't know much about File Sharing though.

Security hole? There is no security hole. Looks like you've been clumsy and left the door unlocked.

That's like leaving your car door open and saying there is a security hole in the car.
 

Killyp

macrumors 68040
Jun 14, 2006
3,864
3
Kilamite is right, leaving SSH on is like leaving your car door wide open, anybody can get in and do pretty much anything to the machine.

It's not a security loophole, it's more like sending a hacker a remote desktop invitation in Windows, except it works...
 

SC68Cal

macrumors 68000
Feb 23, 2006
1,642
0
You still need a password to do that...

They can brute force it. Check your SSH logs for rejected names and passwords.

Start going through your logs for sudo commands, turn off SSH, and start checking your system files.

How do you back up your system? Depending on how you backup your backups could be compromised too.

Pay attention to this people. This is not a drill.

The days of claiming OS X is secure is over.
 

MacsRgr8

macrumors 604
Sep 8, 2002
7,859
1,126
The Netherlands
You still need a password to do that...
Passwords can be "guessed".

SSH scans are very, very common on the 'net, and password dictionaries are used to try to attempt a break-in, in combination with "usual" names (root, admin, www, <English names>), and is called a brute-force attack.
Letting your Mac be connected to the internet directly (so not behind NAT), with SSH open, "asks for it".
If it is necessary to be directly connected to tah web with SSH open, you must use an outrageous password. Something like: LI*^&(GB(&!nDfr5 usually works.
Serously, you must use a password which is not an English word, nor a combination of words etc. Simply substituting en "E" for a "3" or "o" for an "0", or "a" for "@" will not cut it!
 

Doctor X

macrumors newbie
Aug 1, 2007
27
0
Um . . . er . . . "SSH?":eek:

--J.D.

P.S. I do not allow any sharing, remote access, have the firewall up, et cetera. . . .
 

russell.h

macrumors regular
Jul 2, 2007
112
0
I have had an ssh server running for nearly 2 years and have never had it hacked yet.

1. Reinstall OS X
2. Change passwords
3. If you want to run ssh (which seems pointless on a laptop to me, but you know your situation better than I do) get DenyHosts. I'm sure its possible to make it work with OS X, try google. I use it on my Linux server, and have it configured to block any IP that tries 5 wrong user names or 5 wrong passwords (even it it gets the user name right). Before I installed it I was getting hit with random username/password combos every few seconds, but now aside from the occasional 5 login attempts followed by the IP getting blocked the only logins in auth.log are mine.

To be honest, if a vulnerability wasn't exploited (if ssh is like other tools then Apple probably uses openssh, in which case you should try to see how far out of date the one in OS X is and see if any big vulnerabilities have been patched in the interim) then I have to believe that you were somehow socially engineered. The probability of someone guessing your username and your password is so incredibly low as to make the possibility hardly worth considering unless you have an incredibly easy password or someone just got incredibly lucky.
 

Luis

macrumors 65816
Jul 19, 2006
1,229
0
Costa Rica
Apart from the things seen in the screenshot (the files etc) did something bad (as in lost info) actually happen?
 

SC68Cal

macrumors 68000
Feb 23, 2006
1,642
0
Apart from the things seen in the screenshot (the files etc) did something bad (as in lost info) actually happen?
Depends. If they got root access, none of will be logged, if I recall correctly.
 

spooky1980

macrumors newbie
Original poster
Aug 16, 2007
4
0
I checked my log files. But I could not find anything suspicious.
My password is secure. (Random in the style of: leTTerswith*ä'#...)
 

kolax

macrumors G3
Mar 20, 2007
9,194
115
Hoax or not, this thread has been really useful and interesting. Never knew the serve vulnerabilities of File Sharing and co.

Not quite got my head around SSH - I've looked up on it on Wikipedia, but don't understand how it gets tied in to say using Starbuck's WiFi..?
 

MacsRgr8

macrumors 604
Sep 8, 2002
7,859
1,126
The Netherlands
Can anyone explain what root access is? How do you turn it off or disable it etc?
In short: the user "root" is the actual owner of the system (of all UNIX-es I think). User root can remove, delete... do absolutely anything to everything on your system.
You as the "first-installed" user are an "admin" user, which gives you many rights (can install apps ect.) but not ALL rights.
Check your Macintosh HD/System/ you will see in the Finder window that you do not have write access.
User "root" is disabled in Mac OS X Client, and can be enabled by any "admin"-user, or by having physical access to the machine.

Simple words of advice:
Never enable "root"
Don't allow SSH access
Keep all FileSharing stuff off....
.. until you're very sure of what you are doing.

Wait....so your password is 10 digits, as in 10 numbers? And not characters. That would explain it. That's gotta be one of the easiest passwords to brute force
So, 10^10 possibilities EDIT >> not true.... it's less.... we know all 10 positions are used...

For a computer that's tried in about 10 seconds.

Having 10 character... a-z, A-Z, 0-9, !-) etc.... that's a different matter... ;)