The macosxhints Forums

The macosxhints Forums (http://hintsforums.macworld.com/index.php)
-   Networking (http://hintsforums.macworld.com/forumdisplay.php?f=14)
-   -   Someone got into my system (http://hintsforums.macworld.com/showthread.php?t=55288)

chris_on_hints 05-06-2006 04:25 AM

Hi phil4u2

Shame you deleted the files. If the html file was edited, that does suggest more than a 'click-on-a-link-download-a-file' thing in safari.

By default, the windows sharing on the mac shares home directories and ~/Desktop folders (if i remember right).

How about this scenario:
- you have windows sharing on all the time (this and the mac filesharing is a security hole)
- your mac is connected directly to a WiFi network (no router to act as hardware firewall)
- your firewall is not always on or on and has the filesharing ports open (as normal)
- a PC on the same network (either at work or at home, in a coffe shop etc) has access to your username/password (eg a friend who you once shared files with)
- that PC has a virus/trojan/spyware whatever, and found the html file on your fileshare and altered it.

This theory would require a PC with access to your username/password, or infected with a malicious program which used brute force to guess your password.

Another option would be - did you upload this html file / site up to a web server hosted somewhere? it could have been infected there, and you downloaded it back to update it and then noticed the html file had been changed... possible?

My suggestions for you are:
- turn off all filesharing, then there is no way intruders can get to your files. its easy to turn on/off, so just enable it when you are actually sharing files.
- look through the logs, just in case you can see anything unusual - use the Console.app
- next time, dont delete the files. 'exe' files are harmless to you, and it might help sort out what happened.
- change your password NOW just in case. make it a complicated one, no real words and a mixture of upper/lower case and maybe a couple of symbols for good measure.

If you are feeling paranoid, try looking up Snort - it detects unusual / malicious network activity and will warn you about it.

good luck, and relax - you are on a mac!

chris

phil4u2 05-06-2006 06:49 AM

Thank you for that answer Chris.
I already did almost all that you said.
The first thing I did was to change my password. (Now I'll have to remember it...:o )
Filesharing is now OFF
I looked through the logs and found something strange:
Code:

*** Zero check failed in /Users/thecat/Desktop/DVDBACKUP
/MacTheRipper2.6/dvdread/ifo_read.c:457

My username is not "thecat" and I am the only user on my machine. Now, could this be a bug in MacTheRipper (as in, the writer of the actual program is user "thecat")?

I will check out SNORT

Before I deleted the infected files (Actually, I deleted the whole folder), I went to the ftp server and checked the uploaded files. They were/are intact.

hayne 05-06-2006 07:11 AM

Quote:

Originally Posted by phil4u2
I looked through the logs and found something strange:
Code:

*** Zero check failed in /Users/thecat/Desktop/DVDBACKUP
/MacTheRipper2.6/dvdread/ifo_read.c:457

My username is not "thecat" and I am the only user on my machine. Now, could this be a bug in MacTheRipper (as in, the writer of the actual program is user "thecat")?

Yes indeed.
Code:

% strings MacTheRipper.app/Contents/MacOS/MacTheRipper | grep -i "thecat"   
/Users/thecat/Desktop/DVDBACKUP/MacTheRipper2.6/MTR.m
/Users/thecat/Desktop/DVDBACKUP/MacTheRipper2.6/dvdread/ifo_print.c
/Users/thecat/Desktop/DVDBACKUP/MacTheRipper2.6/dvdread/ifo_read.c
/Users/thecat/Desktop/DVDBACKUP/MacTheRipper2.6/dvdread/nav_print.c
/Users/thecat/Desktop/DVDBACKUP/MacTheRipper2.6/dvdread/nav_read.c
/Users/thecat/Desktop/DVDBACKUP/MacTheRipper2.6/myTocgen.m


Mikey-San 05-06-2006 12:26 PM

Quote:

out of nowhere, some times later, this same file gets infected with a PC virus, and NAV warns you about it. The file is subsequently quarantined.
See, that's what I mean. "Out of nowhere, some time later" means you don't know what happened, and can't remember everything that's gone on. There's a mountain of information you don't have. You can't even remember what virus it said you had, assuming NAV wasn't giving you a false positive in the first place (and now you have no way to know).

The only logical explanation is that something happened, you just don't know what.


All times are GMT -5. The time now is 06:57 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.