dscl . list /Users | grep -v "_\|nobody\|root\|daemon"
finds any hidden accounts use this after the next command
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool NO
disallows hidden accounts to be hidden
defaults read /Library/Preferences/com.apple.loginwindow
Login window data
tail -F /var/log/system.log
follows everything the system is doing, This is how i found the recent google zero day exploit before google did. And it was a brash assumption based on resources and google update timing.
sudo ifconfig en0 ether openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' server usage not osx
essentially an ipconfig type command that reveals local information
Here are your port informations
Well Known Ports: 0 through 1023.
Registered Ports: 1024 through 49151.
Dynamic/Private : 49152 through 65535.
sudo nmap -sV -Pn --script=http-malware-host 192.168.0.x (your IP address)
incorrect osx usage some reading required
sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache
launchctl list |grep mdworker
reveals mdns data
. You need to do insane amounts of research on these. but in the end sudo tcpdump -n -p -s is most all of what you need to know youre being hacked..
I havent added a wireshark part to my regimen yet but you should.
Then you need a mac os firewall front end, any decent one isnt a fire wall you dont need a literal fire wall you need control over the power of the unix framework behind osx.
murus, icefloor and little snitch.
icefloor is said to be good but murus is said to be better, I tried little snitch and was impressed. But the general consensus is murus is better. Little snitch does geo location, but with hackers thats useless.
Nmap is too powerful you can get in serious trouble using it the wrong way as hackers use it for brute force attacks and ddos. But Nmap can reveal massive amounts on your local network. http://macappstore.org/?s=nmap
By far the simplest and easiest thing to do is the NSA guidelines and use Murus. Murus will cost you a few weeks but the stuff ive posted was an effort made in a couple years. Especially with nmap.
after all this reset your passwords
Note: I purposefully used unix server code on some of these to force people to research
220.127.116.11. Ideal hosting in turkey. By now i probably have several gigs of these port attacks after beginning my monitoring at 3:30 AM this and a 52 or 54.x.x.x. My machine is under attack BUT when i hear the fans start up I input this:
This generally works to cut out any foot hold they may have gained, I am also behind a hotspot with added security, which really isnt all that helpful but its one step added for them to get through. Next step is a VPN which i am reluctant to do but probably will.
Im not even exaggerating about this servers assault on my ports, at this point its probably tens of thousands of logs from the same IP. i thin my hot spot and fire tab are compromised as they are on the murus firewall logs as blocked incoming. But it worked for a day to mitigate attacks, using my set top box as a stage between my router in hotspot mode.
I also monitor every web session with tcpdump, opensnoop and tail syslogs. At this point Murus adaptive port blocking is up to 250 private dynamic ports.