Concerned with security....

Question

Concerned with security....

Hello Everyone,

I am not sure exactly where to post this. I have unfortunately been through the wringer the past few weeks. I believe someone or something (program/malware) gained access to my computers and possibly my lan. I have never had problems with my Macs before. I have a Mini that I use as a dedicated media server with plex and a Macbook Pro for everything else. Very soon after I added a synology NAS to my set up I was constantly being sent alerts via the Synology software that unfamiliar IP addresses were trying to access my network. After a few days I figured out the security settings on the Synology and have had no alerts since then.

However, both my computers are having major issues. It seems to go through a certain process every single time where the permissions are changed on both the user home folder and then also the system Hard drive. These are changes I am not making. When I click on the permissions for the Home folder, it shows a user "Fetching" and says they have custom access, my account then says it has no permissions. I delete this user and re-add my self with Read/Write. The settings on the computer then seem to change in various different areas - like allowing a guest login when this was disabled before. Eventually the computer becomes unbootbable (grey screen with apple) from the system drive and I have to boot them up from an external clone (made with super duper) and try to sort things out.

I have done a complete erase and re-install of Mavericks on both systems. The Macbook Pro seems to be running ok so far- however the mini is now only bootable from an external drive. I did have many of the ports open in the firewall including SSH. Is it possible that someone is able to access my computers even after a complete erase and reinstall on both computers.

I use a lot of services where I access my computer externally so I have to open some ports and allow things through the firewall. I added Norton Internet Security for a extra layer of firewall protection.

I am including a few screenshots of what services I am allowing and blocking through my firewall. Many of these are background OSX deamons and processes I believe- but I am not sure if maybe any of these could be something suspicious.

I have been through this re-install process several times now and it seems to keep going back to this state. I am going to contact apple support and see if they have any suggestions. At this point I don't really know what to do- as after a complete erase and re-install I don't see how the problem could repeat.

Posted on Jul 16, 2014 9:25 AM

Reply

Answer 1

BDAqua

Level 10

251,111 points

Jul 16, 2014 10:13 AM in response to Micah Eavenson

How secure are your Passwords?

Did you restore anything from a backup?

Little Snitch, stops/alerts outgoing stuff...

http://www.obdev.at/products/littlesnitch/index.html

See these for a list of some key loggers...

http://forums.macosxhints.com/archive/index.php/t-41204.html

http://www.keylogger-mac.com/mac-keylogger-perfect-keylogger-for-mac-os-x.html

http://uglypufferfish.com/2008/10/31/mac-keyloggers/

PS. Many Mac users hold Norton in very low regard.

Reply

Answer 2

Jul 16, 2014 11:16 AM in response to Micah Eavenson

If your password scheme was not designed securely 8+ characters/upper/lower/number/symbol, then yes, it could have been possible to nuke the permissions along with anything else via SSH.

Norton is not liked by many users here.

You may want to change from remote ports forwarded via your router to a VPN setup. Much easier to control access and you can still connect securely to your systems.

Reply

Answer 3

Jul 16, 2014 11:32 AM in response to chattphotos

I will consider something other than norton. It was the first thing I downloaded in a panic when I realized something may be going on.

I have changed all my passwords- for both computers, new network name, new network password, new subnet, new AEBS password (and yes they were and are complex passwords).

I have used OSX server for a VPN connection before and it worked well- but I only used it to connect to my home LAN from remote locations. I did not use it while within the actual LAN.

I still am not sure how after a clean erase, re-install (I did not migrate anything- everything was downloaded fresh) and changing literally every password- how someone could have access to the system.

The only thing I can figure is that one of the random ports that gets opened for one of my 3rd party applications- like plex- is somehow vulnerable and allowing someone to gain access.

Reply

Answer 4

BDAqua

Level 10

251,111 points

Jul 16, 2014 11:50 AM in response to Micah Eavenson

If you have a Wifi Router, have you considered the Router may be hacked?

http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-rout ers-make-malicious-changes/

http://www.thesafemac.com/how-to-manage-a-hacked-wireless-router/

http://www.bleepingcomputer.com/forums/t/526443/more-hacked-routers-brand/

http://disconnected.io/2014/03/18/how-i-hacked-your-router/

Reply

Answer 5

Jul 16, 2014 12:05 PM in response to BDAqua

Thanks for that info. I will try the Open DNS settings to see if that does anything. I don't think this is the issue (unless it has been hacked again) b/c I already performed a hard reset of the router and built it up from square one again.

Reply

Answer 6

BDAqua

Level 10

251,111 points

Jul 16, 2014 12:25 PM in response to Micah Eavenson

Yeah it may not be, just trying to cover all bases. 🙂

Reply

Answer 7

Drew Reece

Level 6

10,694 points

Jul 16, 2014 12:49 PM in response to BDAqua

BDAqua, in the interest of covering all bases – doesn't a hard reset on a router just wipe the config?

Don't you need to reflash the firmware to have some chance of purging any changes to how it operates?

I suspect you should also take care to use another connection to get the firmware if you suspect yours is not trustworthy.

Micah, when you say you have 'ports on the firewall open' are you talking about at the router or on the Mac?

Reply

Answer 8

BDAqua

Level 10

251,111 points

Jul 16, 2014 1:40 PM in response to Drew Reece

Good question, & I'm not sure, as in my readings it seemed to go both ways, perhaps the brand/model matters as to whether a Factory reset works or not.

Reply

Answer 9

Jul 16, 2014 4:25 PM in response to Drew Reece

Drew,

I just did a soft reset I believe which took the configurations back to factory default. I haven't done a firmware reinstall.

As far as the ports- I have opened the actual ports I need for services- VPN etc via the Airport Utility interface on the router (see screenshot). Then I have allowed services as needed access through the individual computer firewall (see original screen shots). Finally, I have created rules to only needed services through the Norton firewall.

Also, I included a sample of one of the messages I am getting from Norton about suspicious attempts to connect so you can see what this is looking like. It basically behaves like little snitch letting you know what is going in and out of your firewall attempting to connect.

I never had any of these problems until I hooked up the synology NAS. As I said though I have had no issues with it since I closed unsecured ports on it.

Reply

Answer 10

Jul 16, 2014 4:51 PM in response to Micah Eavenson

Here is another one that is trying to Ping my routers ip address.

Reply

Answer 11

BDAqua

Level 10

251,111 points

Jul 16, 2014 5:10 PM in response to Micah Eavenson

Even on Dial-up i'd get 1,000s of those a day, so it's not uncommon.

That IP is 2o7.net, a tracking site with cookies...

http://www.makeuseof.com/tag/that-mysterious-2o7-net-tracking-cookie-all-you-nee d-to-know/

10.0.1.1 is your own router I believe, trying to ping your computer.

Reply

Answer 12

Drew Reece

Level 6

10,694 points

Jul 16, 2014 5:18 PM in response to Micah Eavenson

Micah Eavenson wrote:

Here is another one that is trying to Ping my routers ip address.

This one is FROM your router to the device running Norton. I think this is normal since you are running a server on this Mac (is that the right one?).

Reply

Answer 13

Jul 16, 2014 6:11 PM in response to BDAqua

Thank you both for the replies. The laptop seems to be running ok for the time being. I have changed both the router and the computers DNS settings to Open DNS. I am starting to think you might be onto something with that.

Unfortunately, I am stuck with the grey screen, apple logo and spinning wheel with the Mini. I can boot from my external clones and see the hard drive etc... but it won't boot from that drive. I have tried then apple+option+P+R- no change. I am going to do a command+R and try to re-cover the software. I want to try to get into the DNS settings for the computer and see if that makes a difference.

Ill report back.

Micah

Reply

Answer 14

Drew Reece

Level 6

10,694 points

Jul 16, 2014 6:59 PM in response to Micah Eavenson

Micah Eavenson wrote:

I want to try to get into the DNS settings for the computer and see if that makes a difference.

See if you can find /Library/Preferences/SystemConfiguration/preferences.plist on the boot disk.

It should contain any configured DNS servers - I viewed it in Xcode, you may want to find a plist viewer if you don't have one, it may be stored in binary format which turns it into 'noise' in a basic text editor.

Look for the 'ServerAddresses' key. If those don't exist under the 'DNS' key the server(s) was probably supplied via DHCP from the router.

Reply

Answer 15

Drew Reece

Level 6

10,694 points

Jul 17, 2014 8:06 AM in response to Micah Eavenson

One more thing…

A failing HD could explain some of the weird behaviour of this Mini, it doesn't help with the laptop. I'm not sure what to suggest for testing the disk. I'd look at SMART status (may not be helpful) and consider verifying it with disk testing tools.

Reply