Skip navigation

Reinstall SLS saving calendar, mail & other user data

647 Views 4 Replies Latest reply: Nov 16, 2012 3:14 PM by davisfromhouston RSS
davisfromhouston Level 1 Level 1 (0 points)
Currently Being Moderated
Nov 5, 2012 7:53 PM

I have apparently sustained some kind of attack on the web portion of my server, whereby whenever I access it externally I get directed to a site that has an expired/unvalidated SSL certificate.  I can access everything inside my network just fine, but from outside it's getting redirected to this external site.  This is now affecting my calendar and mail server.

 

I am considering reinstalling the entire server, assuming that there is some malicious code inserted somewhere.  How can I save all of the user names, permissions etc. but more importantly save the mail and calendar data that has collected in the various user accounts, and upon reinstall of the server (after erasing the disk) reassociate the directories containing that data with the user accounts?  I can see the directories but they have a UUID-type identifier associated with them, and I don't see anything within Server Admin or Workgroup Manager that would allow me to point to those directories.

 

Is this as simple as backing up my OD settings from Workgroup Manager, then after reinstall importing those settings, then putting the directories back in place?

 

Thanks -

Mac OS X (10.6.7), Server
  • MrHoffman Level 6 Level 6 (11,700 points)

    You have two choices: you can figure out what happened and address it and work to clean up the mess that has been made (potentially including a reinstall and rolling in backups), or you can reinstall OS X and OS X Server (all of it) and (if you don't figure out what happened) get breached again.

     

    Best case: isolated web server hackery, with no futher changes and no backdoors left behind.

     

    Worst case: Anything on that disk is not trustworthy.  Not until it's been verified.  And if that system has access into your local network, the breach can be (was) extended to other systems in your network.  (qv: DMZ)

     

    Backdoors can be left in OS X files.  Or in OS X Server files.  In configuration data.  Certainly in LDAP directory; that's an obvious spot.  In web server files.  OS X and OS X Server and a typical environment installs somewhere between a half-million and a million files, and a whole lot of those can be tweaked by a savvy attacker to do, um, unexpected things...

     

    That UUID you're seeing is just the user's internal identification within OS X and OS X Server.  It's merely a value that uniquely identifies that particular user.  (With that UUID value generated for each user that's been created and with a new UUID for a deleted and recreated user, identifier collisions are extremely unlikely.)  The UUID doesn't encode or hash or hide or mask or decrypt into anything; it's just a likely-very-unique serial number for the user.

     

    You'll also want to get your backups sorted out.  That's the easiest recovery path for these things; multiple copies of good backups, and preferably kept entirely separate from the server — a savvy attacker can insert the breach into the backups, after all.  (For disaster recovery, preferably with some backups kept somewhere other than your local site, but that's another discussion.)

     

    There's just no easy way to do this decontamination, either.  Not unless you have a good and complete pre-breach backup, and can roll that in – well, after you figure out how the attacker got in, as the same attack will be repeated indefinitely.

     

    Here's a short write-up on getting hacked.

  • MrHoffman Level 6 Level 6 (11,700 points)

    uverse is a very common source of networking discussions around the Internet; AT&T has a very strange set-up with that product.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.