[macosx-unix] Re: scanning a mac for compromise

Peter Booth peter_booth at mac.com
Fri Feb 16 19:02:37 EST 2007 

I have seen bugs with graphic device driverts direct x implementation  
result in Swing apps not updating a tile of the screen or adding  
jaggy lines. Occam's razor would suggest it isn't an intruder.

On Feb 16, 2007, at 5:15 PM, George Georgalis wrote:

> On Fri, Feb 16, 2007 at 04:41:17PM -0500, Peter Booth wrote:
>> Which of the sharing options was enabled ? remote login? Was the XP
>> VM running in the background? presumably its much easier to  
>> compromise.
>
> I think they have a shared directory, doubt remote login on either
> OS.  XP was running or sleeping (not sure) in the background.
>
>
>> You can use last and XP eventvwr to check for remote logons to either
>> OSX or XP at the time in question. It would be hard to leave no
>> trace. Check all of the logs in /var/log
>
> Even if XP was fully compromised, you think there is a way to hit
> on the mac? It seems most likely this was a hardware glitch but
> while I've heard of phish software to send home tiles of graphic
> near the cursor, I've never heard of hard/soft/static/temp problem
> to cause a "tile" of bus noise or whatever on the display. Maybe
> it was just temp changes getting the video card upset?
>
> Any other non-intrusion hypothesis?
>
> // George
>
>
>
>> On Feb 16, 2007, at 3:58 PM, George Georgalis wrote:
>>
>>> Hi all, not much list discussion, hope the meetings have been fun.
>>>
>>>
>>> One of the macs here was visiting Seattle this week and
>>> experienced an anomaly that is very suspicious of compromise. I'm
>>> going to start some forensics soon and was wondering if any tools
>>> could be suggested or if anyone can identify the behavior?
>>>
>>> This MacBook Pro has 2 Gb ram and runs XP in Parallels virtual
>>> machine. The user is pretty sharp and I don't expect any services
>>> running or missing updates.
>>>
>>> While he was in the Mac environment (vs XP), on a wifi network,
>>> the mouse pointer moved to the upper left corner 'region' and
>>> became unmovable, the region then became animated (about a square
>>> inch), as if it where a TV with poor reception.
>>>
>>> The user was concerned about a wifi compromise but couldn't
>>> shutoff the AirPort without the mouse, so he turned off the
>>> computer.
>>>
>>> He has since used the system and experienced nothing unusual.
>>> We have discussed the process of restoring files to a fresh
>>> install. Which will probably happen if we cannot identify
>>> a cause. However, in any event we would like to identify
>>> the source of this anomaly.
>>>
>>> any suggestions?
>>>
>>> // George
>>>
>
>
> -- 
> George Georgalis, systems architect, administrator <IXOYE><
> _______________________________________________
> macosx-unix mailing list
> macosx-unix at lesmuug.org
> http://beth.lesmuug.org/mailman/listinfo/macosx-unix

More information about the macosx-unix mailing list