Munix hacked? Valid files for install of Leopard?

[ElDiabloConCaca]

Quote:

Originally Posted by HelloMac

Re: Terminal - that's the point. NO ONE was supposed to be using terminal.

If your system is booted and the Login window is being displayed, then yes, a "Terminal session" of sorts is running.

Here's some output from my system log, and my system has not ever been compromised:

Code:

exception:\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0)\nStack trace:  0x3719a  0x915f60fb  0x962e102b  0x962e106a  0x95e2d3df  0x95dab218  0x70568  0x70da7  0x5a451  0x6e825  0x62549  0x6e7bc  0x6744e  0x77165  0xd648  0x12c40  0x129f3  0xd18a  0x95dea4d3  0x96243555  0x96267921  0x96267d18  0x94ba56a0  0x94ba54b9  0x94ba532d  0x940c67d9  0x940c608e  0x940bf0c5  0x10fc7  0x202a  0x1

May 22 07:43:04 Pipsqueak com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[28920]): Exited: Terminated
May 22 08:54:59 Pipsqueak /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[29938]: Login Window Application Started
May 22 08:55:01 Pipsqueak loginwindow[29938]: Login Window Started Security Agent
May 22 10:14:01 Pipsqueak loginwindow[29938]: Login Window - Returned from Security Agent
May 22 10:14:01 Pipsqueak com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[29947]): Exited: Terminated
May 22 11:28:44 Pipsqueak loginwindow[28916]: DEAD_PROCESS: 0 console
May 22 11:28:44 Pipsqueak loginwindow[28916]: CGSShutdownServerConnections: Detaching application from window server

I think what you're seeing is perfectly normal, in my opinion. Even though no one is physically logged in as "root," some processes will run as root, like fileservers and vnc servers and what-not.

[HelloMac]

Not a WoW player. Just aware that it's out there. And I do not trade gold online or off.

[HelloMac]

Two additional issues that I noticed yesterday when on the machine.

On Tuesday night I stopped poking around on the machine at 10:30pm. Shut it down. Not sleep, but shut down. Prior to shut down I put Ethernet, Firewire, Bluetooth and Airport services in "Inactive". The ethernet cable continued to be disconnected from the machine.

Upon turning the machine back on on Wednesday afternoon I noticed that my "Library" folder indicated serveral files had been modified at 12:25am that morning. The files are all related to user id information in the application support area. I had physical control of the machine at that time and know for certain that neither I or my wife turned on the box or connected a cable to it. The power cord was still plugged in, but the machine did not show any sign of waking up - at least not turning on the screen.

In the power options I have it set to not wake on Ethernet/Lan and to not respond to wake up on Bluetooth.

So how did those files get modified to reflect a time 2 1/2 hours after I shut down the machine?

I was awake at that time and was using my iPhone to read email, etc. This iPhone and iMac have been paired via bluetooth in the past. I know the iPhone isn't setup to do anything with the mac, but I tried it anyway and succesfully paired them together. I had since deleted any pairing, but wonder if somehow I have a process running in the background on the iPhone that lets the machines talk to each other and connect over the AT&T Edge network? If I have odd stuff happening on the mac and have synced the phone with the mac through iTunes I wonder if I've put some file on the iPhone that doesn't belong?


The other:
I turned on the machine last night and upon login I noticed that my network preferences pane had the little lock symbol "unlocked" and options had changedincluding "disconnect upon logout". In the file sharing preference pain the "everyone" group had been re-enabled for access vs. my previous setting to deny access.

There's no way I mistakenly left those preferences changed like that or left the little lock unlocked. I'm paying way too much ettention to every detail at this point. I locked it back down.

I've enable the verbose display on start up and shut down and have noticed when logging out and shutting down the net and home volumes fail to dismount everytime.

I now unplug the electricity from the machine after shut down.


I haven't turned it on today but will look at that again tonight.

[Giaguara]

KDC and NTPD are normal. Kerberos and network time...
Are those automator scripts set on startup?

[HelloMac]

The scripts were set for startup. Not by me. I've since deleted.

[ElDiabloConCaca]

Does anyone else have physical access to the machine?

[HelloMac]

The only other person with physical access is my wife, but she only knows how to turn it on and use applications.

I've had another thought about this...

Is it possible that when I'm logged into my account that I'm actually interacting with the computer within a virtual machine environment?

Here's whay I ask...

When logging in from the initial screen that is set up for me to type in my user name and pass word the screen will accept my information and then briefly display the login screen that has my account picture. As if it was passing through the credentials and then logs in.

If I enter Terminal and examine the file and folder list from / , I cannot get into any folder except /user. If I cd vol or cd bin and then type pwd, it always shows that I've been put into the /user folder. It appears that all my folders are aliases.

When I log out Finder goes through the process but istead of a smooth visual transition back to the log in screen, my screen fades to black, hold there a half second of so and then the default desktop picture pops onto the screen with the login boxes. Sometimes during that little blip of black screen I can see a solid white cursor in the top left hand corner of the screen.

Whenever I shut down the machine I see an error that /home and /net volumes fail to dismount.

[Viro]

Oooh, could be a root kit.

In the terminal, can you do echo $PATH and see what that says?