Help I've been hacked!!!
 

Today I noticed the internet was very slow. After a while I went to my server (G4 10.3) and in Activity Monitor I noticed AppleFileServer was using 40-70% of CPU. In the network tab there was more then 50kb in dataout/sec and about 400 Mb in data out. Nobody in my intranet was connected to the server or coping any file. It must have been someone from outside (internet). Coincidently or not just after I started looking for the log file the activity stopped.
I couldn't find any AppleFileServer log like apache or system, how do I know who downloaded (IP) and what files ?
Thanks a lot

How do you know that - you went around and asked everyone?
It might also have been some program running on some machine on your LAN that was not known to the user of that machine. (Normal program or malware)
Or maybe someone just logged on as "guest" (which requires no password at all) and downloaded files that were world-readable.
Did you look under /Library/Logs ?

actually yes, it's only 4 people :)

Yes I did, but I only have the file AppleFileServiceError.log
I googling ( http://www.elementkjournals.com/prem....asp?aid=13626 ) and It seems AppleFileServer log is not activated in default settings in system 10.2. Is it still true in 10.3 ? For some reason in my Server the AppleFileServer option in the config fork of Network info manager doesn't show. only dhcp and mcx_cache. On all other macs there is this option.
I'm getting scared now...

Is there a way to disable guest login ?

1) You speak of your "Server" - is this machine running OS X Server? If so, I will move this thread to the OS X Server section.

2) I think the existence of the log and the config option may depend not only on what version of OS X you have but also on whether you have File Sharing turned on.

I don't know if there is. But I think I recall seeing other people ask this question on these forums (or elsewhere), so try some googling.
[edit]
I found this old thread that discusses that question:
http://forums.macosxhints.com/showthread.php?t=11000
[/edit]

No its just a regular OSX install. It shares the internet and printer to the other macs and does some light apache serving.

File Sharing is on. This is a condition for the AppleFileServer process to run.

you might be able to see who (if anyone) was connected if the log still exists by typing the following in the Terminal:

there also might be gunzip'd older files in /var/log you can search through too.

Thanks! updating the system to 10.3.8 now to see if AppleFileServer appears in config

I don't see it (in NetInfo Manager) on my iBook running 10.3.8 - but I don't have File Sharing turned on.

Thanks, didn't know this command. There doesn't seem to be any unusual login in the output. does this command track only the normal logins or all of them ( AFP, SSH , FTP etc ) ?

Check out the file:
/Library/Preferences/com.apple.AppleFileServer.plist
You can configure a few aspects of afp there, including turning logging on or off, choose from a few options of what to log, and turn on / off guest access.

(you will have to restart afp for changes to take effect)

from the 'last' man page:
from personal experience, i know it will work show login activity from SSH and 'normal user login' sessions (from the login window)

just checked, it doesn't track AFP logs

Can a user from UNIX ( any flavor other then OSX ) or Windows connect through AppleFileServer or is it mac only?

In principle, a user on any type of OS can connect via AFP - it only requires the appropriate software.

So if I've been really hacked ( or guest connected to ) It most probably was from a mac machine.

I'm not sure where you derive that conclusion from. It certainly is easier to acquire the necessary software on a Mac (it comes with the system) but it is also available on other machines running various OSes.

Unfortunately log was off. I guess I'll never know then. Well I just turned log on and disabled guest user with the help of sharepoints. At least now if someone logs in, I'll know its a valid user and I'll know its IP, time and every file it touched. It's the most detailed log I've ever seen. I just hope it doesn't add too mach overhead to the system.

By the way, does anyone know of a tool that can monitor the network through ssh in the terminal ? (so that I don't have to go upstairs and check the activity monitor )

There are lots of command-line tools. E.g. 'netstat' comes with OS X. But you need to learn to use them.

Maybe easier is to install a VNC server on your server machine and then use a VNC client to look at (and control) the server from any machine.
Google for "VNC" or look at the articles about it in the main macosxhints site.

You didn't have 'Download important updates in the background' ticked in your software update panel did you?

In addition to tweaking the configuration with SharePoints, you can also try xAFP to monitor connections.

Thanks, nice and simple

No, cause they often mess things up as this one did (swap was back to startup disk) and as its a server I want to keep it up as much as I can.

I think will have to learn a little bit of netstat then. I don't want to control the OS with VNC while an other person is using the G4 ( it has a scanner attached to it ). I dream with the day that OS X will allow us to have multiple simultaneous users concurrently logged in as you can in X11 (not only fast switch between them).

BTW 10.3.8 is running and AppleFileServer is still not present at config fork in NetInfo Manager. Maybe that's because this was a straight 10.3 fresh format 'n install while other machines came from a 10.2 upgrade. I'm not very littered in XML to edit the plist file easily, so if this is true, it's a major draw back for me. Can anyone confirm it ?