Munix hacked? Valid files for install of Leopard? - Page 4

**Giaguara** · #25 May 23rd, 2008, 04:33 PM

cd / will get you to home folder.
cd /System
cd /Library
do those take you anywhere?

HelloMac · #26 May 24th, 2008, 01:17 AM

My machine would not boot today. Had to reset npram/nvram in
order to get it to boot from install disc. It would get to the gray logo screen
and the turning gears but go no farther.

Reset partition, erase, zero out, reinstall.

At the end of the install log there multiple entries of folders in private framework/version a/* that metadata was updated with "actual metadata" from a similarly named folder.

One of the last lines on the log says
"if diskobject (null) was set with a nil dmdisk object"

I found a .plist file with setting references to World of Warcraft, starfighter, com.blizzard.launch, com.blizzard.download and otherstuff like that. I have never played wow and don't know the reference to blizzard.

The machine has not been allowed on the net, everything is locked down. Installed little snitch and set rules to deny outgoing communications.

Will look at the path question tommorrow when I'm more fresh so I can be sure to carefully see where I can move around on the he from the command line.

HelloMac · #27 May 24th, 2008, 01:42 AM

another thing - the box that I bought with a fresh copy of leapord says 10.5.2.

System profiler now says I am running 10.5.1.

g/re/p · #28 May 25th, 2008, 08:23 AM

I smell a hoax.....

g/re/p · #29 June 3rd, 2008, 12:51 AM

lol....

HelloMac · #30 June 3rd, 2008, 11:49 AM

I wish it was a hoax and my life would be easier.

Through more trial and error and using a program called RootKit Hunter I've learned that after a HD erase, zero out, OS install, combo update to 10.5.3 I'm left with a system that is configured for SSH protocol 2:

ssh config file - yes
ssh root access allowed - yes
ssh protocol v1 allowed - no
syslog daemon? found
syslog remote logging? yes warning
install.*@127.0.0.1:3236

I also find that a hidden file /usr/share/man/man5/.rhosts.5gz:gzip compressed was changed from ".rhosts.5" from Unix.

These settings persist through the various setting updates I make in the account preferences regarding sharing, etc.

If I try to edit the files (with TextEditor.app), the system will not allow me to save the changes. I'm attempting through Finder and I modify the file and folder permissions for my account to write, but still am blocked.

What's this from my DSL modem's system log this morning?
"Connecting PPPoE socket: 00:90:1a:a0:57:82 9702 br0 0x1000d538"
I don't recognize 00:90:1a:a0:57:82.

The date is May 2007 until several lines in when it changes to today's date. This modem was purchased on Saturday and configured on Sunday.

Verizon DSL modem log 060308 07:52
(GMT)16:01:15 Tue May 15 2007 syslogd started: BusyBox v0.61.pre
(GMT)16:01:15 Tue May 15 2007 init: Waiting for enter to start '/bin/sh' (pid 88, terminal /dev/tts/0)
(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -N EGRESS
(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -N INGRESS
(GMT)16:01:17 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -A INGRESS -j IMQ
(GMT-05:00)16:01:18 Tue May 15 2007 logic: Stunnel conf 2: TR-069 1 /var/etc/stunnel2.conf https://cpe-ems.verizon.com/cwmpWeb/CPEMgt 1 8080
(GMT-05:00)16:01:19 Tue May 15 2007 logic: dhcps starting
(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started
(GMT-05:00)16:01:25 Tue May 15 2007 udhcpd: ADD - (my mac address) 192.168.1.64 86400 bigmacs-imac

Later:
GMT-05:00)16:02:00 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started

(GMT-05:00)16:02:00 Tue May 15 2007 udhcpd: interface: br0, start : 4001a8c0 end : fe01a8c0
(GMT-05:00)07:44:16 Tue Jun 03 2008 pc: act_hnm not exist, restart it
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: SENDING ACK to bigmacs-imac
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: sending ACK to 192.168.1.67
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: ADD 192.168.1.67 86400 bigmacs-imac
(GMT-05:00)07:45:24 Tue Jun 03 2008 logic: 192.168.1.67 now is 192.168.1.67
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request
len=71,srcip=192.168.1.1, url=67.1.168.192.in-addr.arpa
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=61,srcip=192.168.1.1, url=dslmodem.domain
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=61,srcip=192.168.1.1, url=dslmodem.domain
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=71,srcip=71.252.0.12, url=67.1.168.192.in-addr.arpa

ElDiabloConCaca · #31 June 3rd, 2008, 11:56 AM

Quote:

Originally Posted by HelloMac

I wish it was a hoax and my life would be easier.

Through more trial and error and using a program called RootKit Hunter I've learned that after a HD erase, zero out, OS install, combo update to 10.5.3 I'm left with a system that is configured for SSH protocol 2:

ssh config file - yes
ssh root access allowed - yes
ssh protocol v1 allowed - no
syslog daemon? found
syslog remote logging? yes warning
install.*@127.0.0.1:3236

Yup, standard Mac OS X Server config... SSH2 is used for remote logins among other things.

Quote:

If I try to edit the files (with TextEditor.app), the system will not allow me to save the changes. I'm attempting through Finder and I modify the file and folder permissions for my account to write, but still am blocked.

Because you need to edit that file as root, and you can't do that with TextEdit by simple double-clicking the "TextEdit" icon. If you're versed in vi or nano, try editing the file from the command-line with "sudo".

Quote:

What's this from my DSL modem's system log this morning?
"Connecting PPPoE socket: 00:90:1a:a0:57:82 9702 br0 0x1000d538"
I don't recognize 00:90:1a:a0:57:82.

Could that be your ISP's Mac address?

Could it also be that your DSL modem's DNS has been poisoned? Can you do a "hard reset" of the modem -- in other words, can you purge the settings on the modem to their default state, then reconfigure the modem to be sure that it's not some poisoned modem settings?

HelloMac · #32 June 3rd, 2008, 12:18 PM

I will try a reset on the modem, but I've attempted that on the previous DSL modem a couple of times and ended up with the same thing. Thus my decision to buy a new modem. And here I am again.

I haven't looked up the man file on it yet, but do you know what the default config for Raccoon should be upon a fresh install? My system has a config setting that allows anonymous login right off the bat.

Here's a bit more of the log from this morning that I meant to post.

The second remote connection attempt to port 443 is what worries me. I have that port blocked by the firewall that is built into the modem.

GMT-05:00)07:45:44 Tue Jun 03 2008 syslog: failed dns request len=136,srcip=71.252.0.12, url=dslmodem.domain
(GMT-05:00)07:45:50 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:45:51 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:11 Tue Jun 03 2008 stunnel[377]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:11 Tue Jun 03 2008 stunnel[377]: Failed to initialize remote connection
(GMT-05:00)07:46:17 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:18 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:27 Tue Jun 03 2008 stunnel[455]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:27 Tue Jun 03 2008 stunnel[455]: Failed to initialize remote connection
(GMT-05:00)07:46:57 Tue Jun 03 2008 stunnel[464]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:57 Tue Jun 03 2008 stunnel[464]: Failed to initialize remote connection
(GMT-05:00)07:47:27 Tue Jun 03 2008 stunnel[479]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:47:27 Tue Jun 03 2008 stunnel[479]: Failed to initialize remote connection
(GMT-05:00)07:47:56 Tue Jun 03 2008 stunnel[486]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:47:56 Tue Jun 03 2008 stunnel[486]: Failed to initialize remote connection
(GMT-05:00)07:48:26 Tue Jun 03 2008 stunnel[497]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:48:26 Tue Jun 03 2008 stunnel[497]: Failed to initialize remote connection