[macosx-unix] Re: scanning a mac for compromise

George Georgalis george at galis.org
Fri Feb 16 17:15:00 EST 2007 

On Fri, Feb 16, 2007 at 04:41:17PM -0500, Peter Booth wrote:
>Which of the sharing options was enabled ? remote login? Was the XP  
>VM running in the background? presumably its much easier to compromise.

I think they have a shared directory, doubt remote login on either
OS.  XP was running or sleeping (not sure) in the background.


>You can use last and XP eventvwr to check for remote logons to either  
>OSX or XP at the time in question. It would be hard to leave no  
>trace. Check all of the logs in /var/log

Even if XP was fully compromised, you think there is a way to hit
on the mac? It seems most likely this was a hardware glitch but
while I've heard of phish software to send home tiles of graphic
near the cursor, I've never heard of hard/soft/static/temp problem
to cause a "tile" of bus noise or whatever on the display. Maybe
it was just temp changes getting the video card upset?

Any other non-intrusion hypothesis?

// George



>On Feb 16, 2007, at 3:58 PM, George Georgalis wrote:
>
>>Hi all, not much list discussion, hope the meetings have been fun.
>>
>>
>>One of the macs here was visiting Seattle this week and
>>experienced an anomaly that is very suspicious of compromise. I'm
>>going to start some forensics soon and was wondering if any tools
>>could be suggested or if anyone can identify the behavior?
>>
>>This MacBook Pro has 2 Gb ram and runs XP in Parallels virtual
>>machine. The user is pretty sharp and I don't expect any services
>>running or missing updates.
>>
>>While he was in the Mac environment (vs XP), on a wifi network,
>>the mouse pointer moved to the upper left corner 'region' and
>>became unmovable, the region then became animated (about a square
>>inch), as if it where a TV with poor reception.
>>
>>The user was concerned about a wifi compromise but couldn't
>>shutoff the AirPort without the mouse, so he turned off the
>>computer.
>>
>>He has since used the system and experienced nothing unusual.
>>We have discussed the process of restoring files to a fresh
>>install. Which will probably happen if we cannot identify
>>a cause. However, in any event we would like to identify
>>the source of this anomaly.
>>
>>any suggestions?
>>
>>// George
>>


-- 
George Georgalis, systems architect, administrator <IXOYE><

More information about the macosx-unix mailing list