Concerned with security....

Hello Everyone,

I am not sure exactly where to post this. I have unfortunately been through the wringer the past few weeks. I believe someone or something (program/malware) gained access to my computers and possibly my lan. I have never had problems with my Macs before. I have a Mini that I use as a dedicated media server with plex and a Macbook Pro for everything else. Very soon after I added a synology NAS to my set up I was constantly being sent alerts via the Synology software that unfamiliar IP addresses were trying to access my network. After a few days I figured out the security settings on the Synology and have had no alerts since then.

However, both my computers are having major issues. It seems to go through a certain process every single time where the permissions are changed on both the user home folder and then also the system Hard drive. These are changes I am not making. When I click on the permissions for the Home folder, it shows a user "Fetching" and says they have custom access, my account then says it has no permissions. I delete this user and re-add my self with Read/Write. The settings on the computer then seem to change in various different areas - like allowing a guest login when this was disabled before. Eventually the computer becomes unbootbable (grey screen with apple) from the system drive and I have to boot them up from an external clone (made with super duper) and try to sort things out.

I have done a complete erase and re-install of Mavericks on both systems. The Macbook Pro seems to be running ok so far- however the mini is now only bootable from an external drive. I did have many of the ports open in the firewall including SSH. Is it possible that someone is able to access my computers even after a complete erase and reinstall on both computers.

I use a lot of services where I access my computer externally so I have to open some ports and allow things through the firewall. I added Norton Internet Security for a extra layer of firewall protection.

I am including a few screenshots of what services I am allowing and blocking through my firewall. Many of these are background OSX deamons and processes I believe- but I am not sure if maybe any of these could be something suspicious.

I have been through this re-install process several times now and it seems to keep going back to this state. I am going to contact apple support and see if they have any suggestions. At this point I don't really know what to do- as after a complete erase and re-install I don't see how the problem could repeat.

Posted on Jul 16, 2014 9:25 AM

25 replies

BDAqua

Level 10

251,101 points

Jul 17, 2014 1:10 PM in response to Micah Eavenson

See if you can find /Library/Preferences/SystemConfiguration/preferences.plist on the boot disk.

It should contain any configured DNS servers - I viewed it in Xcode, you may want to find a plist viewer if you don't have one, it may be stored in binary format which turns it into 'noise' in a basic text editor.

Get free Text Wrangler to open plists...

http://www.barebones.com/products/TextWrangler/

Jul 21, 2014 6:55 PM in response to Micah Eavenson

I have not had a chance to check the configuration files yet. However I changed my DNS settings to open DNS and google.

When I logged in under my user over the weekend - the allow guest to log in option had been enabled. This is not something I would have ever enabled. Is there anyway that this could have been enabled some other way inadvertently? It said guest managed. I did not do this.

I have again changed my password. I have also done a command+ r and opened terminal and reset permissions to default on root and my user

I have created a new user and am in the process of migrating over to it. I used the option to create a disk image of the old user but am not sure if there would be a security risk from restoring from that.

Jul 21, 2014 6:56 PM in response to BDAqua

I have not had a chance to check the configuration files yet. However I changed my DNS settings to open DNS and google.

I have again changed my password. I have also done a command+ r and opened terminal and reset permissions to default on root and my user

Drew Reece

Level 6

10,694 points

Jul 21, 2014 8:21 PM in response to Micah Eavenson

Micah Eavenson wrote:

When I logged in under my user over the weekend - the allow guest to log in option had been enabled. This is not something I would have ever enabled. Is there anyway that this could have been enabled some other way inadvertently? It said guest managed. I did not do this.

Guest logins are enabled by default so unless you explicitly disabled this feature it could be normal.

Find My Mac also allows guest login in an attempt to entice the use of the Mac, as does Filevault…

OS X Mountain Lion: Set up guest users

If a hacker had gained access to the Mac enabling guest access seems kind of pointless – they could already read and write via whatever access they had already setup. It seems more likely that they would try to 'hide in plain sight' e.g. move data around over services that are often making network requests like http.

I think you may want to take the Mac to an Apple store (if possible) if you think it is hacked. I suspect a genus at the bar may reinstall if you ask. Explain that you are uncertain if your network is compromised.

Micah Eavenson wrote:

I have created a new user and am in the process of migrating over to it. I used the option to create a disk image of the old user but am not sure if there would be a security risk from restoring from that.

This will not make any difference to the OS. If you think the OS is hacked you cannot just move your user data to a new account. You must erase the entire OS otherwise you may suffer the exact same 'hacks' but in a new account.

Personally I'm not able to tell if you have actual evidence of a compromised Mac, however there is little point in taking half measures if you are going to the inconvenience of trying to stop the 'hack'.

Move your user data to another disk, erase the internal disk. Install 10.9 via a trusted internet connection. Restore the user data (ideally by hand only moving what you need).

Jul 22, 2014 7:49 AM in response to Drew Reece

I explicitly disabled the guest login and it has then been re-enabled more than one time since then.

Does Find My Mac always enable guest login? If so this could be possible as I know the OS has asked me if I would like to allow Find My Mac and I have said yes.

As far as doing a clean 10.9 install- I have done about 3 of these on each machine so far and have had similar problems each time. I have not done these installs at another location with a trusted connection (if mine is perhaps compromised).

If I continue having problems this week I will take all three machines and a the router to a friends house and perform a firmware reset on the Aiport, wipe all the disks, (all my data resides on an external NAS) and do a complete re-install on both machines. Hopefully I won't have to take these measures but at this point I still can't explain some of the issues I am having.

Drew Reece

Level 6

10,694 points

Jul 22, 2014 8:35 AM in response to Micah Eavenson

Micah Eavenson wrote:

I explicitly disabled the guest login and it has then been re-enabled more than one time since then.

Does Find My Mac always enable guest login? If so this could be possible as I know the OS has asked me if I would like to allow Find My Mac and I have said yes.

You need to actually test yourself to see how the Mac works …

I just disabled & re-enabled iCloud's Find my Mac. Guest login was re-enabled.

Jul 22, 2014 7:14 PM in response to Drew Reece

Drew,

You were exactly right on the Find my Mac issue. I disabled and re-enabled and had the same results you did. Good to know.

My biggest concern is that if someone did get access it may have been to the router. I don't really know enough about this to know for sure but thats where all my issues end up leading.

Last night my router went offline so I left it alone until I got home this evening. When I began looking at some of the settings I noticed that the IP Address had changed under the internet tab which isn't unusual at all I know since I turned off the modem and router and turned them back on.

Under the Internet tab I am connecting DHCP

IPv4 address is 68.XXX.XX.XXX

Subnet is normal

Router address is 68.XXX.XX.XXX ??

Shouldn't the router address follow the Local subnet of 10.0.X.X that exists on my network? I may be wrong about this as I can't remember what this tab had listed before.

Also I have Allow IPV6 connection sharing enabled and then under network tab BLOCK INCOMING and ALLOW INCOMING IP SEC AUTHENTICATION is checked. Is this the standard settings for these. I haven't ever touched them but wanted to make sure these were secure settings.

Drew Reece

Level 6

10,694 points

Jul 22, 2014 7:34 PM in response to Micah Eavenson

Micah Eavenson wrote:

IPv4 address is 68.XXX.XX.XXX

Subnet is normal

Router address is 68.XXX.XX.XXX ??

Shouldn't the router address follow the Local subnet of 10.0.X.X that exists on my network? I may be wrong about this as I can't remember what this tab had listed before.

That looks normal (as far as I can make out). The router will have an external IP (the 68.wh.at.ev.er). The router usually translates that into local addresses (10.0.range) via something called 'NAT' (at least for IPv4 traffic). It means the local network is private whilst the internet can be accessed through the router.

You may find that shutting a router down for a few hours will cause you to get a new address, but the external IP is governed by your ISP & how often they hand out new addresses.

Micah Eavenson wrote:

Also I have Allow IPV6 connection sharing enabled and then under network tab BLOCK INCOMING and ALLOW INCOMING IP SEC AUTHENTICATION is checked. Is this the standard settings for these. I haven't ever touched them but wanted to make sure these were secure settings.

I don't know about that, but I'd consider disabling it. It sounds like it gives your local devices a public IPv6 IP.

Hopefully someone more experienced with this setting can explain, if not ask a new question specifically about how it should be configured.

Jul 22, 2014 7:47 PM in response to Drew Reece

I appreciate your help. Unfortunately, I still just don't really have any faith in my system being secure at this point. I received these notifications from my firewall program just in the past half hour. I will take the steps I outlined above and then contact apple if that doesn't resolve it.

BDAqua

Level 10

251,101 points

Jul 22, 2014 9:39 PM in response to Micah Eavenson

65.251.19.9 is...

OrgName: MCI Communications Services, Inc. d/b/a Verizon Business

OrgId: MCICS

Address: 22001 Loudoun County Pkwy

City: Ashburn

StateProv: VA

PostalCode: 20147

http://arstechnica.com/security/2014/07/weaponized-exploit-can-steal-user-cookie s-on-ebay-tumblr-other-sites/

http://blog.trendmicro.com/trendlabs-security-intelligence/malware-uses-zws-comp ression-for-evasion-tactic/

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Concerned with security....