The macosxhints Forums

The macosxhints Forums (http://hintsforums.macworld.com/index.php)
-   Networking (http://hintsforums.macworld.com/forumdisplay.php?f=14)
-   -   Help I've been hacked!!! (http://hintsforums.macworld.com/showthread.php?t=35107)

Pedro Estarque 02-15-2005 02:32 PM

Help I've been hacked!!!
 
Today I noticed the internet was very slow. After a while I went to my server (G4 10.3) and in Activity Monitor I noticed AppleFileServer was using 40-70% of CPU. In the network tab there was more then 50kb in dataout/sec and about 400 Mb in data out. Nobody in my intranet was connected to the server or coping any file. It must have been someone from outside (internet). Coincidently or not just after I started looking for the log file the activity stopped.
I couldn't find any AppleFileServer log like apache or system, how do I know who downloaded (IP) and what files ?
Thanks a lot

hayne 02-15-2005 03:02 PM

Quote:

Originally Posted by Pedro Estarque
Nobody in my intranet was connected to the server or coping any file.

How do you know that - you went around and asked everyone?
Quote:

It must have been someone from outside (internet).
It might also have been some program running on some machine on your LAN that was not known to the user of that machine. (Normal program or malware)
Or maybe someone just logged on as "guest" (which requires no password at all) and downloaded files that were world-readable.
Quote:

I couldn't find any AppleFileServer log
Did you look under /Library/Logs ?

Pedro Estarque 02-15-2005 03:27 PM

Quote:

Originally Posted by hayne
How do you know that - you went around and asked everyone?

actually yes, it's only 4 people :)

Quote:

Originally Posted by hayne
Did you look under /Library/Logs ?

Yes I did, but I only have the file AppleFileServiceError.log
I googling ( http://www.elementkjournals.com/prem....asp?aid=13626 ) and It seems AppleFileServer log is not activated in default settings in system 10.2. Is it still true in 10.3 ? For some reason in my Server the AppleFileServer option in the config fork of Network info manager doesn't show. only dhcp and mcx_cache. On all other macs there is this option.
I'm getting scared now...

Pedro Estarque 02-15-2005 03:29 PM

Is there a way to disable guest login ?

hayne 02-15-2005 03:36 PM

Quote:

Originally Posted by Pedro Estarque
It seems AppleFileServer log is not activated in default settings in system 10.2. Is it still true in 10.3 ? For some reason in my Server the AppleFileServer option in the config fork of Network info manager doesn't show. only dhcp and mcx_cache. On all other macs there is this option.

1) You speak of your "Server" - is this machine running OS X Server? If so, I will move this thread to the OS X Server section.

2) I think the existence of the log and the config option may depend not only on what version of OS X you have but also on whether you have File Sharing turned on.

Quote:

Is there a way to disable guest login ?
I don't know if there is. But I think I recall seeing other people ask this question on these forums (or elsewhere), so try some googling.
[edit]
I found this old thread that discusses that question:
http://forums.macosxhints.com/showthread.php?t=11000
[/edit]

Pedro Estarque 02-15-2005 03:43 PM

No its just a regular OSX install. It shares the internet and printer to the other macs and does some light apache serving.

File Sharing is on. This is a condition for the AppleFileServer process to run.

vancenase 02-15-2005 03:49 PM

you might be able to see who (if anyone) was connected if the log still exists by typing the following in the Terminal:

Code:

last

# or, to see the most recent:
last | head

there also might be gunzip'd older files in /var/log you can search through too.

Pedro Estarque 02-15-2005 03:57 PM

Quote:

Originally Posted by hayne
I found this old thread that discusses that question:
http://forums.macosxhints.com/showthread.php?t=11000
[/edit]

Thanks! updating the system to 10.3.8 now to see if AppleFileServer appears in config

hayne 02-15-2005 04:05 PM

Quote:

Originally Posted by Pedro Estarque
updating the system to 10.3.8 now to see if AppleFileServer appears in config

I don't see it (in NetInfo Manager) on my iBook running 10.3.8 - but I don't have File Sharing turned on.

Pedro Estarque 02-15-2005 04:11 PM

Quote:

Originally Posted by vancenase
you might be able to see who (if anyone) was connected if the log still exists by typing the following in the Terminal:

Code:

last

# or, to see the most recent:
last | head

there also might be gunzip'd older files in /var/log you can search through too.

Thanks, didn't know this command. There doesn't seem to be any unusual login in the output. does this command track only the normal logins or all of them ( AFP, SSH , FTP etc ) ?

biovizier 02-15-2005 04:18 PM

Check out the file:
/Library/Preferences/com.apple.AppleFileServer.plist
You can configure a few aspects of afp there, including turning logging on or off, choose from a few options of what to log, and turn on / off guest access.

(you will have to restart afp for changes to take effect)

vancenase 02-15-2005 04:19 PM

from the 'last' man page:
Code:

NAME
    last - indicate last logins of users and ttys

DESCRIPTION
    Last will list the sessions of specified users, ttys, and hosts, in
    reverse time order.  Each line of output contains the user name, the tty
    from which the session was conducted, any hostname, the start and stop
    times for the session, and the duration of the session.  If the session
    is still continuing or was cut short by a crash or shutdown, last will so
    indicate.

from personal experience, i know it will work show login activity from SSH and 'normal user login' sessions (from the login window)

Pedro Estarque 02-15-2005 04:32 PM

Quote:

Originally Posted by vancenase
from the 'last' man page:
Code:

NAME
    last - indicate last logins of users and ttys

DESCRIPTION
    Last will list the sessions of specified users, ttys, and hosts, in
    reverse time order.  Each line of output contains the user name, the tty
    from which the session was conducted, any hostname, the start and stop
    times for the session, and the duration of the session.  If the session
    is still continuing or was cut short by a crash or shutdown, last will so
    indicate.

from personal experience, i know it will work show login activity from SSH and 'normal user login' sessions (from the login window)

just checked, it doesn't track AFP logs

Pedro Estarque 02-15-2005 05:16 PM

Can a user from UNIX ( any flavor other then OSX ) or Windows connect through AppleFileServer or is it mac only?

hayne 02-15-2005 05:21 PM

In principle, a user on any type of OS can connect via AFP - it only requires the appropriate software.

Pedro Estarque 02-15-2005 05:33 PM

So if I've been really hacked ( or guest connected to ) It most probably was from a mac machine.

hayne 02-15-2005 05:36 PM

Quote:

Originally Posted by Pedro Estarque
So if I've been really hacked ( or guest connected to ) It most probably was from a mac machine.

I'm not sure where you derive that conclusion from. It certainly is easier to acquire the necessary software on a Mac (it comes with the system) but it is also available on other machines running various OSes.

Pedro Estarque 02-15-2005 06:07 PM

Unfortunately log was off. I guess I'll never know then. Well I just turned log on and disabled guest user with the help of sharepoints. At least now if someone logs in, I'll know its a valid user and I'll know its IP, time and every file it touched. It's the most detailed log I've ever seen. I just hope it doesn't add too mach overhead to the system.

By the way, does anyone know of a tool that can monitor the network through ssh in the terminal ? (so that I don't have to go upstairs and check the activity monitor )

hayne 02-15-2005 06:43 PM

Quote:

Originally Posted by Pedro Estarque
does anyone know of a tool that can monitor the network through ssh in the terminal ? (so that I don't have to go upstairs and check the activity monitor )

There are lots of command-line tools. E.g. 'netstat' comes with OS X. But you need to learn to use them.

Maybe easier is to install a VNC server on your server machine and then use a VNC client to look at (and control) the server from any machine.
Google for "VNC" or look at the articles about it in the main macosxhints site.

stetner 02-16-2005 02:18 AM

Quote:

Originally Posted by Pedro Estarque
Thanks! updating the system to 10.3.8 now to see if AppleFileServer appears in config

You didn't have 'Download important updates in the background' ticked in your software update panel did you?

Craig R. Arko 02-16-2005 08:37 AM

In addition to tweaking the configuration with SharePoints, you can also try xAFP to monitor connections.

Pedro Estarque 02-16-2005 09:31 AM

Quote:

you can also try xAFP to monitor connections.
Thanks, nice and simple

Quote:

You didn't have 'Download important updates in the background' ticked in your software update panel did you?
No, cause they often mess things up as this one did (swap was back to startup disk) and as its a server I want to keep it up as much as I can.

Quote:

There are lots of command-line tools. E.g. 'netstat' comes with OS X. But you need to learn to use them.

Maybe easier is to install a VNC server on your server machine and then use a VNC client to look at (and control) the server from any machine.
Google for "VNC" or look at the articles about it in the main macosxhints site.
I think will have to learn a little bit of netstat then. I don't want to control the OS with VNC while an other person is using the G4 ( it has a scanner attached to it ). I dream with the day that OS X will allow us to have multiple simultaneous users concurrently logged in as you can in X11 (not only fast switch between them).

Pedro Estarque 02-16-2005 09:38 AM

BTW 10.3.8 is running and AppleFileServer is still not present at config fork in NetInfo Manager. Maybe that's because this was a straight 10.3 fresh format 'n install while other machines came from a 10.2 upgrade. I'm not very littered in XML to edit the plist file easily, so if this is true, it's a major draw back for me. Can anyone confirm it ?


All times are GMT -5. The time now is 07:34 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.