From george at galis.org Fri Feb 16 15:58:50 2007 From: george at galis.org (George Georgalis) Date: Fri Feb 16 16:04:53 2007 Subject: [macosx-unix] scanning a mac for compromise Message-ID: <20070216205850.GH24438@run.galis.org> Hi all, not much list discussion, hope the meetings have been fun. One of the macs here was visiting Seattle this week and experienced an anomaly that is very suspicious of compromise. I'm going to start some forensics soon and was wondering if any tools could be suggested or if anyone can identify the behavior? This MacBook Pro has 2 Gb ram and runs XP in Parallels virtual machine. The user is pretty sharp and I don't expect any services running or missing updates. While he was in the Mac environment (vs XP), on a wifi network, the mouse pointer moved to the upper left corner 'region' and became unmovable, the region then became animated (about a square inch), as if it where a TV with poor reception. The user was concerned about a wifi compromise but couldn't shutoff the AirPort without the mouse, so he turned off the computer. He has since used the system and experienced nothing unusual. We have discussed the process of restoring files to a fresh install. Which will probably happen if we cannot identify a cause. However, in any event we would like to identify the source of this anomaly. any suggestions? // George -- George Georgalis, systems architect, administrator < From peter_booth at mac.com Fri Feb 16 16:41:17 2007 From: peter_booth at mac.com (Peter Booth) Date: Fri Feb 16 16:45:36 2007 Subject: [macosx-unix] scanning a mac for compromise In-Reply-To: <20070216205850.GH24438@run.galis.org> References: <20070216205850.GH24438@run.galis.org> Message-ID: <51A37947-FBB5-44C2-BCFE-9FC0F6577FF3@mac.com> Which of the sharing options was enabled ? remote login? Was the XP VM running in the background? presumably its much easier to compromise. You can use last and XP eventvwr to check for remote logons to either OSX or XP at the time in question. It would be hard to leave no trace. Check all of the logs in /var/log On Feb 16, 2007, at 3:58 PM, George Georgalis wrote: > Hi all, not much list discussion, hope the meetings have been fun. > > > One of the macs here was visiting Seattle this week and > experienced an anomaly that is very suspicious of compromise. I'm > going to start some forensics soon and was wondering if any tools > could be suggested or if anyone can identify the behavior? > > This MacBook Pro has 2 Gb ram and runs XP in Parallels virtual > machine. The user is pretty sharp and I don't expect any services > running or missing updates. > > While he was in the Mac environment (vs XP), on a wifi network, > the mouse pointer moved to the upper left corner 'region' and > became unmovable, the region then became animated (about a square > inch), as if it where a TV with poor reception. > > The user was concerned about a wifi compromise but couldn't > shutoff the AirPort without the mouse, so he turned off the > computer. > > He has since used the system and experienced nothing unusual. > We have discussed the process of restoring files to a fresh > install. Which will probably happen if we cannot identify > a cause. However, in any event we would like to identify > the source of this anomaly. > > any suggestions? > > // George > > > -- > George Georgalis, systems architect, administrator < > _______________________________________________ > macosx-unix mailing list > macosx-unix@lesmuug.org > http://beth.lesmuug.org/mailman/listinfo/macosx-unix From george at galis.org Fri Feb 16 17:15:00 2007 From: george at galis.org (George Georgalis) Date: Fri Feb 16 17:20:55 2007 Subject: [macosx-unix] Re: scanning a mac for compromise In-Reply-To: <51A37947-FBB5-44C2-BCFE-9FC0F6577FF3@mac.com> References: <20070216205850.GH24438@run.galis.org> <51A37947-FBB5-44C2-BCFE-9FC0F6577FF3@mac.com> Message-ID: <20070216221500.GA29011@run.galis.org> On Fri, Feb 16, 2007 at 04:41:17PM -0500, Peter Booth wrote: >Which of the sharing options was enabled ? remote login? Was the XP >VM running in the background? presumably its much easier to compromise. I think they have a shared directory, doubt remote login on either OS. XP was running or sleeping (not sure) in the background. >You can use last and XP eventvwr to check for remote logons to either >OSX or XP at the time in question. It would be hard to leave no >trace. Check all of the logs in /var/log Even if XP was fully compromised, you think there is a way to hit on the mac? It seems most likely this was a hardware glitch but while I've heard of phish software to send home tiles of graphic near the cursor, I've never heard of hard/soft/static/temp problem to cause a "tile" of bus noise or whatever on the display. Maybe it was just temp changes getting the video card upset? Any other non-intrusion hypothesis? // George >On Feb 16, 2007, at 3:58 PM, George Georgalis wrote: > >>Hi all, not much list discussion, hope the meetings have been fun. >> >> >>One of the macs here was visiting Seattle this week and >>experienced an anomaly that is very suspicious of compromise. I'm >>going to start some forensics soon and was wondering if any tools >>could be suggested or if anyone can identify the behavior? >> >>This MacBook Pro has 2 Gb ram and runs XP in Parallels virtual >>machine. The user is pretty sharp and I don't expect any services >>running or missing updates. >> >>While he was in the Mac environment (vs XP), on a wifi network, >>the mouse pointer moved to the upper left corner 'region' and >>became unmovable, the region then became animated (about a square >>inch), as if it where a TV with poor reception. >> >>The user was concerned about a wifi compromise but couldn't >>shutoff the AirPort without the mouse, so he turned off the >>computer. >> >>He has since used the system and experienced nothing unusual. >>We have discussed the process of restoring files to a fresh >>install. Which will probably happen if we cannot identify >>a cause. However, in any event we would like to identify >>the source of this anomaly. >> >>any suggestions? >> >>// George >> -- George Georgalis, systems architect, administrator < From bob at redivi.com Fri Feb 16 17:37:58 2007 From: bob at redivi.com (Bob Ippolito) Date: Fri Feb 16 17:41:59 2007 Subject: [macosx-unix] Re: scanning a mac for compromise In-Reply-To: <20070216221500.GA29011@run.galis.org> References: <20070216205850.GH24438@run.galis.org> <51A37947-FBB5-44C2-BCFE-9FC0F6577FF3@mac.com> <20070216221500.GA29011@run.galis.org> Message-ID: <6a36e7290702161437l72f62f54y6e7a70a28f30830a@mail.gmail.com> On 2/16/07, George Georgalis wrote: > On Fri, Feb 16, 2007 at 04:41:17PM -0500, Peter Booth wrote: > >Which of the sharing options was enabled ? remote login? Was the XP > >VM running in the background? presumably its much easier to compromise. > > I think they have a shared directory, doubt remote login on either > OS. XP was running or sleeping (not sure) in the background. > > > >You can use last and XP eventvwr to check for remote logons to either > >OSX or XP at the time in question. It would be hard to leave no > >trace. Check all of the logs in /var/log > > Even if XP was fully compromised, you think there is a way to hit > on the mac? It seems most likely this was a hardware glitch but > while I've heard of phish software to send home tiles of graphic > near the cursor, I've never heard of hard/soft/static/temp problem > to cause a "tile" of bus noise or whatever on the display. Maybe > it was just temp changes getting the video card upset? > > Any other non-intrusion hypothesis? My bet is on driver bug or hardware glitch. You'd really have to go out of your way to screw with the cursor, I can't imagine an exploit would do that. -bob From peter_booth at mac.com Fri Feb 16 19:02:37 2007 From: peter_booth at mac.com (Peter Booth) Date: Fri Feb 16 19:06:57 2007 Subject: [macosx-unix] Re: scanning a mac for compromise In-Reply-To: <20070216221500.GA29011@run.galis.org> References: <20070216205850.GH24438@run.galis.org> <51A37947-FBB5-44C2-BCFE-9FC0F6577FF3@mac.com> <20070216221500.GA29011@run.galis.org> Message-ID: I have seen bugs with graphic device driverts direct x implementation result in Swing apps not updating a tile of the screen or adding jaggy lines. Occam's razor would suggest it isn't an intruder. On Feb 16, 2007, at 5:15 PM, George Georgalis wrote: > On Fri, Feb 16, 2007 at 04:41:17PM -0500, Peter Booth wrote: >> Which of the sharing options was enabled ? remote login? Was the XP >> VM running in the background? presumably its much easier to >> compromise. > > I think they have a shared directory, doubt remote login on either > OS. XP was running or sleeping (not sure) in the background. > > >> You can use last and XP eventvwr to check for remote logons to either >> OSX or XP at the time in question. It would be hard to leave no >> trace. Check all of the logs in /var/log > > Even if XP was fully compromised, you think there is a way to hit > on the mac? It seems most likely this was a hardware glitch but > while I've heard of phish software to send home tiles of graphic > near the cursor, I've never heard of hard/soft/static/temp problem > to cause a "tile" of bus noise or whatever on the display. Maybe > it was just temp changes getting the video card upset? > > Any other non-intrusion hypothesis? > > // George > > > >> On Feb 16, 2007, at 3:58 PM, George Georgalis wrote: >> >>> Hi all, not much list discussion, hope the meetings have been fun. >>> >>> >>> One of the macs here was visiting Seattle this week and >>> experienced an anomaly that is very suspicious of compromise. I'm >>> going to start some forensics soon and was wondering if any tools >>> could be suggested or if anyone can identify the behavior? >>> >>> This MacBook Pro has 2 Gb ram and runs XP in Parallels virtual >>> machine. The user is pretty sharp and I don't expect any services >>> running or missing updates. >>> >>> While he was in the Mac environment (vs XP), on a wifi network, >>> the mouse pointer moved to the upper left corner 'region' and >>> became unmovable, the region then became animated (about a square >>> inch), as if it where a TV with poor reception. >>> >>> The user was concerned about a wifi compromise but couldn't >>> shutoff the AirPort without the mouse, so he turned off the >>> computer. >>> >>> He has since used the system and experienced nothing unusual. >>> We have discussed the process of restoring files to a fresh >>> install. Which will probably happen if we cannot identify >>> a cause. However, in any event we would like to identify >>> the source of this anomaly. >>> >>> any suggestions? >>> >>> // George >>> > > > -- > George Georgalis, systems architect, administrator < > _______________________________________________ > macosx-unix mailing list > macosx-unix@lesmuug.org > http://beth.lesmuug.org/mailman/listinfo/macosx-unix From george at galis.org Sat Feb 17 11:13:53 2007 From: george at galis.org (George Georgalis) Date: Sat Feb 17 11:19:52 2007 Subject: [macosx-unix] Re: Re: scanning a mac for compromise In-Reply-To: <6a36e7290702161437l72f62f54y6e7a70a28f30830a@mail.gmail.com> References: <20070216205850.GH24438@run.galis.org> <51A37947-FBB5-44C2-BCFE-9FC0F6577FF3@mac.com> <20070216221500.GA29011@run.galis.org> <6a36e7290702161437l72f62f54y6e7a70a28f30830a@mail.gmail.com> Message-ID: <20070217161353.GG29011@run.galis.org> On Fri, Feb 16, 2007 at 02:37:58PM -0800, Bob Ippolito wrote: >On 2/16/07, George Georgalis wrote: >>On Fri, Feb 16, 2007 at 04:41:17PM -0500, Peter Booth wrote: >>>Which of the sharing options was enabled ? remote login? Was the XP >>>VM running in the background? presumably its much easier to compromise. >> >>I think they have a shared directory, doubt remote login on either >>OS. XP was running or sleeping (not sure) in the background. >> >> >>>You can use last and XP eventvwr to check for remote logons to either >>>OSX or XP at the time in question. It would be hard to leave no >>>trace. Check all of the logs in /var/log >> >>Even if XP was fully compromised, you think there is a way to hit >>on the mac? It seems most likely this was a hardware glitch but >>while I've heard of phish software to send home tiles of graphic >>near the cursor, I've never heard of hard/soft/static/temp problem >>to cause a "tile" of bus noise or whatever on the display. Maybe >>it was just temp changes getting the video card upset? >> >>Any other non-intrusion hypothesis? > >My bet is on driver bug or hardware glitch. You'd really have to go >out of your way to screw with the cursor, I can't imagine an exploit >would do that. Good point about the mouse. I've seen weird things in 'tiles' too so I tend to favor the Occam's razor perspective. Especially considering this laptop has been sleeping through airports, x-rays, weather, hotel static etc. Thanks for the feedback. // George -- George Georgalis, systems architect, administrator < From pete at nomadlogic.org Thu Feb 22 13:22:14 2007 From: pete at nomadlogic.org (Peter Wright) Date: Thu Feb 22 13:23:04 2007 Subject: [macosx-unix] interesting fsck issue Message-ID: <12460.160.33.20.11.1172168534.squirrel@webmail.nomadlogic.org> hi all, i've got an issue when trying to run fsck on a corrupted root volume. here is the error message we are seeing: invalid keylength during fsck in catalog check we can boot into single user mode, but the fsck still fails with this issue. this disk is still seen, and it seems that the boot records are intact as we are still able to goto single user mode. has anyone seen anything similar to this? maestro google has not been too helpfull... thanks! -pete -- ~~oO00Oo~~ Peter Wright pete@nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From ber at lesmuug.org Thu Feb 22 14:01:01 2007 From: ber at lesmuug.org (Brian Redman) Date: Thu Feb 22 14:01:18 2007 Subject: [macosx-unix] interesting fsck issue In-Reply-To: <12460.160.33.20.11.1172168534.squirrel@webmail.nomadlogic.org> References: <12460.160.33.20.11.1172168534.squirrel@webmail.nomadlogic.org> Message-ID: <408B6C8B-3F07-47B3-A3DA-DB1BAFAD000D@lesmuug.org> On Feb 22, 2007, at 1:22 PM, Peter Wright wrote: > hi all, i've got an issue when trying to run fsck on a corrupted root > volume. here is the error message we are seeing: > > invalid keylength during fsck in catalog check > > > we can boot into single user mode, but the fsck still fails with this > issue. this disk is still seen, and it seems that the boot records > are > intact as we are still able to goto single user mode. has anyone seen > anything similar to this? maestro google has not been too helpfull... > > thanks! > > -pete Hello, Pete. I've had that error and if I remember correctly I used DiskWarrior to resolve it. ber From pete at nomadlogic.org Thu Feb 22 14:04:22 2007 From: pete at nomadlogic.org (Peter Wright) Date: Thu Feb 22 14:05:15 2007 Subject: [macosx-unix] interesting fsck issue In-Reply-To: <408B6C8B-3F07-47B3-A3DA-DB1BAFAD000D@lesmuug.org> References: <12460.160.33.20.11.1172168534.squirrel@webmail.nomadlogic.org> <408B6C8B-3F07-47B3-A3DA-DB1BAFAD000D@lesmuug.org> Message-ID: <43294.160.33.20.11.1172171062.squirrel@webmail.nomadlogic.org> > > On Feb 22, 2007, at 1:22 PM, Peter Wright wrote: > >> hi all, i've got an issue when trying to run fsck on a corrupted root >> volume. here is the error message we are seeing: >> >> invalid keylength during fsck in catalog check >> >> >> we can boot into single user mode, but the fsck still fails with this >> issue. this disk is still seen, and it seems that the boot records >> are >> intact as we are still able to goto single user mode. has anyone seen >> anything similar to this? maestro google has not been too helpfull... >> >> thanks! >> >> -pete > > Hello, Pete. I've had that error and if I remember correctly I used > DiskWarrior to resolve it. > > ber > > thanks ber, we'll give that a shot! -pete -- ~~oO00Oo~~ Peter Wright pete@nomadlogic.org www.nomadlogic.org/~pete 310.869.9459