Intrusion Suspected, Advice Sought

[Jeff Quast]

On Thu, 6 Jan 2005 20:29:20 -0800, JohnG <mcsjgs at cox.net> wrote:
> I run OS X 10.3.7 on a PowerMac MDD G4 on a cable broadband connection.
> I have reason to think my system has been tampered with. Security
> features in Mac OS X have been left unlocked (Preference Pane - Users)
> even though a master lock has always been set in the Security
> Preference Pane. This locks all other important preference panes which
> could be tampered with. Also permissions have been reset at every boot
> in my working directory. I've worked on this machine for about 17
> months, and I know its rhythms and what should be what. The permissions
> problem is persistent and new. I do not think I am being paranoid or
> alarmist. I have always had a NAT router, commercial firewall, and
> virus protection.
> 
> The only thing I can think of is a hidden *nix program from a
> downloaded program (shareware/freeware) (I have scanned all packages
> for viruses). I am almost positive it did not come via e-mail. I say
> almost because I have been receiving odd e-mails that are totally blank
> and have no information I can find. Conceivably, it could have been a
> hacker. If so, that person was very skillful in getting in and only
> left small traces of poking around.
> 
> I assume your advice will be to do a clean re-install of both system
> and programs. My question is how do I re-import the data from full
> backup (probably also containing whatever it is) without further
> jeopardizing my system? Any other advice, tips, or pointers to FreeBSD
> programs I could run on Mac would be greatly appreciated.
> 
> John Scherb

Try the tools lsof and netstat to examine all open files and sockets
for anything suspicious. However, I too have had subtle permission
problems with Mac OSX, and I too do not think there is any real reason
for concern.

-- 
:wq!