Does anyone have an idea where the security hole is? My machine was exposed to the internet with personal file sharing and ssh open. My OS X is up to date and all updates are installed. I don't know right now what the guy did with my machine but have a look at the screenshot...
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
My MacBook has been hacked!
- Thread starter spooky1980
- Start date
- Sort by reaction score
Umm, with File Sharing you need to know the username and password for the computer you want to access. I don't know much about File Sharing though.
Security hole? There is no security hole. Looks like you've been clumsy and left the door unlocked.
That's like leaving your car door open and saying there is a security hole in the car.
Security hole? There is no security hole. Looks like you've been clumsy and left the door unlocked.
That's like leaving your car door open and saying there is a security hole in the car.
Kilamite is right, leaving SSH on is like leaving your car door wide open, anybody can get in and do pretty much anything to the machine.
It's not a security loophole, it's more like sending a hacker a remote desktop invitation in Windows, except it works...
It's not a security loophole, it's more like sending a hacker a remote desktop invitation in Windows, except it works...
They can brute force it. Check your SSH logs for rejected names and passwords.
Start going through your logs for sudo commands, turn off SSH, and start checking your system files.
How do you back up your system? Depending on how you backup your backups could be compromised too.
Pay attention to this people. This is not a drill.
The days of claiming OS X is secure is over.
Passwords can be "guessed".
SSH scans are very, very common on the 'net, and password dictionaries are used to try to attempt a break-in, in combination with "usual" names (root, admin, www, <English names>), and is called a brute-force attack.
Letting your Mac be connected to the internet directly (so not behind NAT), with SSH open, "asks for it".
If it is necessary to be directly connected to tah web with SSH open, you must use an outrageous password. Something like: LI*^&(GB(&!nDfr5 usually works.
Serously, you must use a password which is not an English word, nor a combination of words etc. Simply substituting en "E" for a "3" or "o" for an "0", or "a" for "@" will not cut it!
I have had an ssh server running for nearly 2 years and have never had it hacked yet.
1. Reinstall OS X
2. Change passwords
3. If you want to run ssh (which seems pointless on a laptop to me, but you know your situation better than I do) get DenyHosts. I'm sure its possible to make it work with OS X, try google. I use it on my Linux server, and have it configured to block any IP that tries 5 wrong user names or 5 wrong passwords (even it it gets the user name right). Before I installed it I was getting hit with random username/password combos every few seconds, but now aside from the occasional 5 login attempts followed by the IP getting blocked the only logins in auth.log are mine.
To be honest, if a vulnerability wasn't exploited (if ssh is like other tools then Apple probably uses openssh, in which case you should try to see how far out of date the one in OS X is and see if any big vulnerabilities have been patched in the interim) then I have to believe that you were somehow socially engineered. The probability of someone guessing your username and your password is so incredibly low as to make the possibility hardly worth considering unless you have an incredibly easy password or someone just got incredibly lucky.
1. Reinstall OS X
2. Change passwords
3. If you want to run ssh (which seems pointless on a laptop to me, but you know your situation better than I do) get DenyHosts. I'm sure its possible to make it work with OS X, try google. I use it on my Linux server, and have it configured to block any IP that tries 5 wrong user names or 5 wrong passwords (even it it gets the user name right). Before I installed it I was getting hit with random username/password combos every few seconds, but now aside from the occasional 5 login attempts followed by the IP getting blocked the only logins in auth.log are mine.
To be honest, if a vulnerability wasn't exploited (if ssh is like other tools then Apple probably uses openssh, in which case you should try to see how far out of date the one in OS X is and see if any big vulnerabilities have been patched in the interim) then I have to believe that you were somehow socially engineered. The probability of someone guessing your username and your password is so incredibly low as to make the possibility hardly worth considering unless you have an incredibly easy password or someone just got incredibly lucky.
Apart from the things seen in the screenshot (the files etc) did something bad (as in lost info) actually happen?
If the hacker got root, the game's over. You'll have to image the hard drive to a spare, then comb through it for clues.
I checked my log files. But I could not find anything suspicious.
My password is secure. (Random in the style of: leTTerswith*ä'#...)
My password is secure. (Random in the style of: leTTerswith*ä'#...)
Well, in /var/log/secure.log an attempt by "root" and a successful login by "root" will be logged, but.... "root" can delete/edit these logfiles...
Wait....so your password is 10 digits, as in 10 numbers? And not characters. That would explain it. That's gotta be one of the easiest passwords to brute force
I missed where someone claimed that OS X wasn't susceptible to brute-force "let me guess your password" hacks.
Hoax or not, this thread has been really useful and interesting. Never knew the serve vulnerabilities of File Sharing and co.
Not quite got my head around SSH - I've looked up on it on Wikipedia, but don't understand how it gets tied in to say using Starbuck's WiFi..?
Not quite got my head around SSH - I've looked up on it on Wikipedia, but don't understand how it gets tied in to say using Starbuck's WiFi..?
In short: the user "root" is the actual owner of the system (of all UNIX-es I think). User root can remove, delete... do absolutely anything to everything on your system.
You as the "first-installed" user are an "admin" user, which gives you many rights (can install apps ect.) but not ALL rights.
Check your Macintosh HD/System/ you will see in the Finder window that you do not have write access.
User "root" is disabled in Mac OS X Client, and can be enabled by any "admin"-user, or by having physical access to the machine.
Simple words of advice:
Never enable "root"
Don't allow SSH access
Keep all FileSharing stuff off....
.. until you're very sure of what you are doing.
So, 10^10 possibilities EDIT >> not true.... it's less.... we know all 10 positions are used...
For a computer that's tried in about 10 seconds.
Having 10 character... a-z, A-Z, 0-9, !-) etc.... that's a different matter...
