New Hack Can Access Your Mac's Passwords: What to Do Now

verndewd

Distinguished
Mar 27, 2009
39
1
18,595
1
no solution? i mean there is but you didnt offer one anyway i DO have a solution first is the nsa guidelines on mac use https://www.tenable.com/blog/hardening-os-x-using-the-nsa-guidelines second, is learning some terminal commands and installing powerful security programs

dscl . list /Users | grep -v "_\|nobody\|root\|daemon"
finds any hidden accounts use this after the next command

sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool NO
disallows hidden accounts to be hidden

defaults read /Library/Preferences/com.apple.loginwindow
Login window data

tail -F /var/log/system.log
follows everything the system is doing, This is how i found the recent google zero day exploit before google did. And it was a brash assumption based on resources and google update timing.

kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' | open -ef
shows running kexts programs

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
shows launch demons
  • sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
  • turns remote access off at boot
sudo ifconfig en0 ether openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' server usage not osx
essentially an ipconfig type command that reveals local information
Here are your port informations
Well Known Ports: 0 through 1023.

Registered Ports: 1024 through 49151.

Dynamic/Private : 49152 through 65535.



sudo nmap -sV -Pn --script=http-malware-host 192.168.0.x (your IP address)
incorrect osx usage some reading required


sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache
DNS flush

launchctl list |grep mdworker
reveals mdns data
. You need to do insane amounts of research on these. but in the end sudo tcpdump -n -p -s is most all of what you need to know youre being hacked..
I havent added a wireshark part to my regimen yet but you should.

Then you need a mac os firewall front end, any decent one isnt a fire wall you dont need a literal fire wall you need control over the power of the unix framework behind osx.
murus, icefloor and little snitch.
icefloor is said to be good but murus is said to be better, I tried little snitch and was impressed. But the general consensus is murus is better. Little snitch does geo location, but with hackers thats useless.
Nmap is too powerful you can get in serious trouble using it the wrong way as hackers use it for brute force attacks and ddos. But Nmap can reveal massive amounts on your local network.
http://macappstore.org/?s=nmap
By far the simplest and easiest thing to do is the NSA guidelines and use Murus. Murus will cost you a few weeks but the stuff ive posted was an effort made in a couple years. Especially with nmap.

after all this reset your passwords

Note: I purposefully used unix server code on some of these to force people to research
 
Last edited:

verndewd

Distinguished
Mar 27, 2009
39
1
18,595
1
My murus profile . everything filtered or and the adaptive port blocking has added over 280 blocked private dynamic ports AND you can run tcpdump from murus.
 

verndewd

Distinguished
Mar 27, 2009
39
1
18,595
1
185.87.26.121. Ideal hosting in turkey. By now i probably have several gigs of these port attacks after beginning my monitoring at 3:30 AM this and a 52 or 54.x.x.x. My machine is under attack BUT when i hear the fans start up I input this:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off

This generally works to cut out any foot hold they may have gained, I am also behind a hotspot with added security, which really isnt all that helpful but its one step added for them to get through. Next step is a VPN which i am reluctant to do but probably will.

Im not even exaggerating about this servers assault on my ports, at this point its probably tens of thousands of logs from the same IP. i thin my hot spot and fire tab are compromised as they are on the murus firewall logs as blocked incoming. But it worked for a day to mitigate attacks, using my set top box as a stage between my router in hotspot mode. :)

I also monitor every web session with tcpdump, opensnoop and tail syslogs. At this point Murus adaptive port blocking is up to 250 private dynamic ports.

11:06:51.264841 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805495142:3805496582, ack 574178429, win 130, options [nop,nop,TS val 1918025634 ecr 896006630], length 1440: HTTP


11:06:51.265301 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805496582:3805498022, ack 574178429, win 130, options [nop,nop,TS val 1918025634 ecr 896006630], length 1440: HTTP


11:06:51.265358 IP 192.168.43.208.58350 > 185.87.26.121.80: Flags [.], ack 3805498022, win 609, options [nop,nop,TS val 896006845 ecr 1918025634], length 0


11:06:51.269811 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805498022:3805499462, ack 574178429, win 130, options [nop,nop,TS val 1918025634 ecr 896006630], length 1440: HTTP


11:06:51.269819 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805499462:3805500902, ack 574178429, win 130, options [nop,nop,TS val 1918025634 ecr 896006630], length 1440: HTTP


11:06:51.269821 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805500902:3805502342, ack 574178429, win 130, options [nop,nop,TS val 1918025634 ecr 896006630], length 1440: HTTP


11:06:51.269823 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805502342:3805503782, ack 574178429, win 130, options [nop,nop,TS val 1918025634 ecr 896006630], length 1440: HTTP


11:06:51.269826 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805503782:3805505222, ack 574178429, win 130, options [nop,nop,TS val 1918025635 ecr 896006632], length 1440: HTTP


11:06:51.269828 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805505222:3805506662, ack 574178429, win 130, options [nop,nop,TS val 1918025635 ecr 896006632], length 1440: HTTP


11:06:51.269830 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805506662:3805508102, ack 574178429, win 130, options [nop,nop,TS val 1918025635 ecr 896006632], length 1440: HTTP


11:06:51.269928 IP 192.168.43.208.58350 > 185.87.26.121.80: Flags [.], ack 3805500902, win 519, options [nop,nop,TS val 896006849 ecr 1918025634], length 0


11:06:51.269960 IP 192.168.43.208.58350 > 185.87.26.121.80: Flags [.], ack 3805503782, win 429, options [nop,nop,TS val 896006849 ecr 1918025634], length 0


11:06:51.269992 IP 192.168.43.208.58350 > 185.87.26.121.80: Flags [.], ack 3805506662, win 339, options [nop,nop,TS val 896006849 ecr 1918025635], length 0


11:06:51.270297 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805508102:3805509542, ack 574178429, win 130, options [nop,nop,TS val 1918025635 ecr 896006632], length 1440: HTTP


11:06:51.270350 IP 192.168.43.208.58350 > 185.87.26.121.80: Flags [.], ack 3805509542, win 249, options [nop,nop,TS val 896006849 ecr 1918025635], length 0


11:06:51.270755 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805509542:3805510982, ack 574178429, win 130, options [nop,nop,TS val 1918025635 ecr 896006632], length 1440: HTTP


11:06:51.271229 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805510982:3805512422, ack 574178429, win 130, options [nop,nop,TS val 1918025635 ecr 896006632], length 1440: HTTP


11:06:51.271268 IP 192.168.43.208.58350 > 185.87.26.121.80: Flags [.], ack 3805512422, win 159, options [nop,nop,TS val 896006850 ecr 1918025635], length 0


11:06:51.271701 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805512422:3805513862, ack 574178429, win 130, options [nop,nop,TS val 1918025635 ecr 896006632], length 1440: HTTP


11:06:51.272174 IP 185.87.26.121.80 > 192.168.43.208.58350: Flags [.], seq 3805513862:3805515302, ack 574178429, win 130, options [nop,nop,TS val 1918025635 ecr 896006632], length 1440: HTTP
 
Last edited:

verndewd

Distinguished
Mar 27, 2009
39
1
18,595
1
sudo diskutil resetUserPermissions / id -u
System wide permissions reset

ps -A | grep Remote
Gather remote session info




killall "Remote Desktop"
Kill remote desktop



sudo launchctl unload /System/Library/LaunchDaemons/com.apple.screensharing.plist
Kill screen sharing Out put should be service not foundon both the above commands.


ls -la /Users
System wide users info



dscacheutil -q group

Group info



dscl . list /Groups GroupMembership
Members of groups




sudo fs_usage | grep dev
File system usage in the dev folder



sudo fs_usage -f network
File system use on the network
Both are live logs
 
Thread starter Similar threads Forum Replies Date
L MacBooks 1
S MacBooks 1
farzin680 MacBooks 0
T MacBooks 0
M MacBooks 3
2 MacBooks 1
S MacBooks 11
P MacBooks 4
G MacBooks 0
PhilipMichaels MacBooks 0
L MacBooks 2
C MacBooks 0
B MacBooks 5
I MacBooks 1
B MacBooks 3
G MacBooks 0
R MacBooks 3
J MacBooks 4
S MacBooks 1
A MacBooks 0

Similar threads


ASK THE COMMUNITY

TRENDING THREADS