Think my network was hacked

Discussion in 'Mac OS X Server, Xserve, and Networking' started by finsfanscott, Aug 22, 2015.

  1. finsfanscott macrumors newbie

    Joined:
    May 20, 2013
    Location:
    Miami
    #1
    Hello,
    I wanted to set up my own VPN. I have a late 2012 Mac Mini that I was using as an iTunes server and for EyeTV so I could watch US TV when I travel outside the states.

    Purchased a copy of OSX Server, installed and configured the VPN it so it would actually connect with a fairly long VPN shared secret. Set up a 'noip" account with a static ip address. Changed the Airport Time Capsule set up to allow connections on ports 500, 1701, 4500 on UDP, but removed the TCP access for port 1723 as I was only planning on using the L2PP VPN.

    Got everything up and running left the VPN on for a couple days, went to check the logs today and find a large amount of activity, words and comments I didn't understand, and it appears some of the log info was removed as the top statement was something along the lines of "log history removed". I realize now I should have kept a copy of the log, but didn't before I reformatted the drive.

    But what really concerned me is in the "Users" list there are at least 50 "new" users, each with a name of a process Mail, Calendar, etc., and a few others I didn't recognize like "NoName" and "NoUser".

    I then unplugged the machine from ethernet, formatted the drive and reinstalled Yosemite and am in the process of reinstalling Server.

    The only thing I can think of is within the AirPort Utility, I did not have the "Block incoming IPv6 connections" box checked (it is now!)

    As I go through and rebuild my set up, what other security issues should I be on the look out for?

    I will have multiple user accounts on the machine, and only allow one non admin to run the VPN, and one to run iTunes, and make the Admin account a very long password and not leave it logged in (I think I may have left the mini logged in with the Admin account).

    I have since changed my AppleID password, and everything else that machine would have had in the Keychain (email, bank info, etc.). When I re-do the Mac Mini, I will not use it for any of that kind of communication.

    Thanks for your thoughts!
     
  2. campyguy, Aug 22, 2015
    Last edited: Aug 22, 2015

    campyguy macrumors 68030

    Joined:
    Mar 21, 2014
    Location:
    Portland / Seattle
    #2
    First: um, yikes!

    I had considered, briefly, using no-ip last year, and then MS swooped in a bit melodramatically to seize a few million web sites being dynamically linked to via no-ip.

    After a bit more research, I discovered that my ISP (Comcast) provides DDNS services for residential and business class customers - all it took was a call to tech support, providing the SN and MAC numbers of my compatible router (not all of their "certified" routers are compatible with their DDNS service, and a 20-minute wait - and I was up and running with a public IP address after entering my credentials into and updating my Airport Extreme. Many ISPs provide this service at no extra charge - all one has to do is ask. I had business class internet but just switched over to residential service a week ago.

    If your ISP doesn't have that service available or won't provide it, and/or you don't use an Airport Extreme or Time Capsule, many router manufacturers (like ASUS) provide DDNS service at no extra charge. I'd also consider finding a DDNS service that has a yearly fee, like DynDNS - it's about $25 per year, and they're really good at it! Good luck!

    A related tip? I keep my activities in separate user accounts: my surfing, banking/purchasing, my iTunes stuff, and my work in separate Standard accounts, and a separate Admin account for MAS and other app-related activities. I also have a Mini Server with DAS for my media storage and a rMBP for my main activity. I use iTunes Match for my listening pleasure and either use an ATV or one of my iOS devices while at the house or one of my offices. On my Mini, I have my media available/accessible in one account - my banking etc. is not done on my Mini but on an iOS app or my rMBP, so there's further segregation of my data and information. Yes, I'm overly cautious...
     
  3. burne macrumors 6502

    burne

    Joined:
    Jul 4, 2007
    Location:
    Haarlem, the Netherlands
    #3
    users like
    Code:
    nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
    root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
    _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false
    _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
    _installassistant:*:25:25:Install Assistant:/var/empty:/usr/bin/false
    _lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false
    _postfix:*:27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false
    _scsd:*:31:31:Service Configuration Service:/var/empty:/usr/bin/false
    _ces:*:32:32:Certificate Enrollment Service:/var/empty:/usr/bin/false
    _mcxalr:*:54:54:MCX AppLaunch:/var/empty:/usr/bin/false
    _appleevents:*:55:55:AppleEvents Daemon:/var/empty:/usr/bin/false
    _geod:*:56:56:Geo Services Daemon:/var/db/geod:/usr/bin/false
    _serialnumberd:*:58:58:Serial Number Daemon:/var/empty:/usr/bin/false
    _devdocs:*:59:59:Developer Documentation:/var/empty:/usr/bin/false
    _sandbox:*:60:60:Seatbelt:/var/empty:/usr/bin/false
    _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
    _ard:*:67:67:Apple Remote Desktop:/var/empty:/usr/bin/false
    _www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false
    _eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false
    _cvs:*:72:72:CVS Server:/var/empty:/usr/bin/false
    _svn:*:73:73:SVN Server:/var/empty:/usr/bin/false
    _mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false
    _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
    _qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
    _cyrus:*:77:6:Cyrus Administrator:/var/imap:/usr/bin/false
    _mailman:*:78:78:Mailman List Server:/var/empty:/usr/bin/false
    _appserver:*:79:79:Application Server:/var/empty:/usr/bin/false
    _clamav:*:82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false
    _amavisd:*:83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false
    _jabber:*:84:84:Jabber XMPP Server:/var/empty:/usr/bin/false
    _appowner:*:87:87:Application Owner:/var/empty:/usr/bin/false
    _windowserver:*:88:88:WindowServer:/var/empty:/usr/bin/false
    _spotlight:*:89:89:Spotlight:/var/empty:/usr/bin/false
    _tokend:*:91:91:Token Daemon:/var/empty:/usr/bin/false
    _securityagent:*:92:92:SecurityAgent:/var/db/securityagent:/usr/bin/false
    _calendar:*:93:93:Calendar:/var/empty:/usr/bin/false
    _teamsserver:*:94:94:TeamsServer:/var/teamsserver:/usr/bin/false
    _update_sharing:*:95:-2:Update Sharing:/var/empty:/usr/bin/false
    _installer:*:96:-2:Installer:/var/empty:/usr/bin/false
    _atsserver:*:97:97:ATS Server:/var/empty:/usr/bin/false
    _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false
    _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
    _softwareupdate:*:200:200:Software Update Service:/var/empty:/usr/bin/false
    _coreaudiod:*:202:202:Core Audio Daemon:/var/empty:/usr/bin/false
    _screensaver:*:203:203:Screensaver:/var/empty:/usr/bin/false
    _locationd:*:205:205:Location Daemon:/var/db/locationd:/usr/bin/false
    _trustevaluationagent:*:208:208:Trust Evaluation Agent:/var/empty:/usr/bin/false
    _timezone:*:210:210:AutoTimeZoneDaemon:/var/empty:/usr/bin/false
    _lda:*:211:211:Local Delivery Agent:/var/empty:/usr/bin/false
    _cvmsroot:*:212:212:CVMS Root:/var/empty:/usr/bin/false
    _usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false
    _dovecot:*:214:6:Dovecot Administrator:/var/empty:/usr/bin/false
    _dpaudio:*:215:215:DP Audio:/var/empty:/usr/bin/false
    _postgres:*:216:216:PostgreSQL Server:/var/empty:/usr/bin/false
    _krbtgt:*:217:-2:Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false
    _kadmin_admin:*:218:-2:Kerberos Admin Service:/var/empty:/usr/bin/false
    _kadmin_changepw:*:219:-2:Kerberos Change Password Service:/var/empty:/usr/bin/false
    _devicemgr:*:220:220:Device Management Server:/var/empty:/usr/bin/false
    _webauthserver:*:221:221:Web Auth Server:/var/empty:/usr/bin/false
    _netbios:*:222:222:NetBIOS:/var/empty:/usr/bin/false
    _warmd:*:224:224:Warm Daemon:/var/empty:/usr/bin/false
    _dovenull:*:227:227:Dovecot Authentication:/var/empty:/usr/bin/false
    _netstatistics:*:228:228:Network Statistics Daemon:/var/empty:/usr/bin/false
    _avbdeviced:*:229:-2:Ethernet AVB Device Daemon:/var/empty:/usr/bin/false
    _krb_krbtgt:*:230:-2:Open Directory Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false
    _krb_kadmin:*:231:-2:Open Directory Kerberos Admin Service:/var/empty:/usr/bin/false
    _krb_changepw:*:232:-2:Open Directory Kerberos Change Password Service:/var/empty:/usr/bin/false
    _krb_kerberos:*:233:-2:Open Directory Kerberos:/var/empty:/usr/bin/false
    _krb_anonymous:*:234:-2:Open Directory Kerberos Anonymous:/var/empty:/usr/bin/false
    _assetcache:*:235:235:Asset Cache Service:/var/empty:/usr/bin/false
    _coremediaiod:*:236:236:Core Media IO Daemon:/var/empty:/usr/bin/false
    _launchservicesd:*:239:239:_launchservicesd:/var/empty:/usr/bin/false
    _iconservices:*:240:240:IconServices:/var/empty:/usr/bin/false
    _distnote:*:241:241:DistNote:/var/empty:/usr/bin/false
    _nsurlsessiond:*:242:242:NSURLSession Daemon:/var/db/nsurlsessiond:/usr/bin/false
    _nsurlstoraged:*:243:243:NSURLStorage Daemon:/var/empty:/usr/bin/false
    _displaypolicyd:*:244:244:Display Policy Daemon:/var/empty:/usr/bin/false
    _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false
    _krbfast:*:246:-2:Kerberos FAST Account:/var/empty:/usr/bin/false
    
    ?

    That is actually normal. These are the pseudo-users used by OS X server to run various tasks without the various tasks being able to snoop on what the others are doing.
     
  4. finsfanscott thread starter macrumors newbie

    Joined:
    May 20, 2013
    Location:
    Miami
    #4

    YES!

    Thank you for sharing that. Obviously, I had no idea who all these users were, or why they would appear. The "nobody", "sandbox", "kadmin_admin", "devicemgr" names (which I obviously didn't create and wouldn't want someone to have access to) alongside my user account with some activity listed by each made me really uncomfortable.

    I feel much better now, thank you for sharing that.

    Since I have already "rebuilt" the Mini, I will just keep all personal information off it and try again to set up the VPN.

    Thanks!
     
  5. hobowankenobi macrumors regular

    Joined:
    Aug 27, 2015
    Location:
    on the land line mr. smith.

Share This Page