[macosx-unix] scanning a mac for compromise

[George Georgalis]

Hi all, not much list discussion, hope the meetings have been fun.


One of the macs here was visiting Seattle this week and
experienced an anomaly that is very suspicious of compromise. I'm
going to start some forensics soon and was wondering if any tools
could be suggested or if anyone can identify the behavior?

This MacBook Pro has 2 Gb ram and runs XP in Parallels virtual
machine. The user is pretty sharp and I don't expect any services
running or missing updates.

While he was in the Mac environment (vs XP), on a wifi network,
the mouse pointer moved to the upper left corner 'region' and
became unmovable, the region then became animated (about a square
inch), as if it where a TV with poor reception.

The user was concerned about a wifi compromise but couldn't
shutoff the AirPort without the mouse, so he turned off the
computer.

He has since used the system and experienced nothing unusual.
We have discussed the process of restoring files to a fresh
install. Which will probably happen if we cannot identify
a cause. However, in any event we would like to identify
the source of this anomaly.

any suggestions?

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><