[macosx-unix] scanning a mac for compromise
Peter Booth
peter_booth at mac.com
Fri Feb 16 16:41:17 EST 2007
Which of the sharing options was enabled ? remote login? Was the XP
VM running in the background? presumably its much easier to compromise.
You can use last and XP eventvwr to check for remote logons to either
OSX or XP at the time in question. It would be hard to leave no
trace. Check all of the logs in /var/log
On Feb 16, 2007, at 3:58 PM, George Georgalis wrote:
> Hi all, not much list discussion, hope the meetings have been fun.
>
>
> One of the macs here was visiting Seattle this week and
> experienced an anomaly that is very suspicious of compromise. I'm
> going to start some forensics soon and was wondering if any tools
> could be suggested or if anyone can identify the behavior?
>
> This MacBook Pro has 2 Gb ram and runs XP in Parallels virtual
> machine. The user is pretty sharp and I don't expect any services
> running or missing updates.
>
> While he was in the Mac environment (vs XP), on a wifi network,
> the mouse pointer moved to the upper left corner 'region' and
> became unmovable, the region then became animated (about a square
> inch), as if it where a TV with poor reception.
>
> The user was concerned about a wifi compromise but couldn't
> shutoff the AirPort without the mouse, so he turned off the
> computer.
>
> He has since used the system and experienced nothing unusual.
> We have discussed the process of restoring files to a fresh
> install. Which will probably happen if we cannot identify
> a cause. However, in any event we would like to identify
> the source of this anomaly.
>
> any suggestions?
>
> // George
>
>
> --
> George Georgalis, systems architect, administrator <IXOYE><
> _______________________________________________
> macosx-unix mailing list
> macosx-unix at lesmuug.org
> http://beth.lesmuug.org/mailman/listinfo/macosx-unix
More information about the macosx-unix
mailing list