# root hacked? fsck and mount -uw



## bossa nova (Apr 26, 2002)

I am a little concerned as the firewall for the company was down for a couple of days and I left my machine on over the night yesterday. I am hoping someone hasn't gotten root access and started running some type of program without my knowledge. 

I know it sounds like I am being a little paranoid but one of the NetwrkEngr's said that there was a 100 MB burst coming from the port my mac was plugged into. I had to unplug it from the network and restart my machine which was horribly slow.

I ran a disk check
/sbin/fsck -y

once that was done it found some orphaned files
"temp203h3"
"temp130i34"

it seemed to have repaired what was apparently wrong and so I finished with

/sbin/mount -uw

Why does the system tell me to run "/sbin/mount -uw" afterwards?

Why would I want to mount and change the systems read only state to read and write?

After I restarted my machine and worked for the day. As I shut down I got the familiar flat blue screen that appears just after the dock disappears. then the screen went black and and some comands line stuff went accross the screen something like "end process completed"
"done" or "end" something like that.

It looked like some process was running and closed down because I was shutting down.

What command can I use to tell what processes are running and how do I determine if there is a rogue process running?

Is there a place i can find a list of processes for OS X that are normal so I can isolate the other rogue processes?

Thanks in advance!
John


----------



## nkuvu (Apr 27, 2002)

First, when you run fsck, run fsck until it says everything appears to be OK.  It usually finds things once other things have been fixed.

Second, the mount instructions are always there -- it's basically a reminder.  If you don't mount, you can't do anything to your disk (minus what utilities do, like fsck).  About the change from read only to read-write: What kind of fun computing experience can you do without writing to the disk?   There is no reason you _need_ to mount after doing the fsck dance -- you can just reboot.  But if you wanted to do anything useful you'd most likely want to be able to write to the disk.

Some ideas about the logging out commands:  To see a list of all running processes, go into the Terminal and type ps -ax.  Don't be surprised -- there is a lot going on all the time.  Type man ps to see the manual for the ps command.

You can also type ls -a to see all of your files in a directory.  Try to see if you have a .logout file.  That would be a file that is run when you log out, so if you have any commands in that file (if it exists) they might be generating the "end process" text.

Also, you can look through your .login and .cshrc files to see if there is something started there that might be producing the strange messages.


Keep in mind that this is all basic Unix stuff.  If someone _has_ compromised your computer, these may all look just fine.  And if everything looks fine it doesn't mean that someone has broken into your computer.  I am not a security expert by any stretch of the imagination, so if you think that it is a security breach you may want to wait for other responses...


----------



## bossa nova (Apr 27, 2002)

Thanks for responding. 

I took a look in my beginning unix book to find the "ps" command. I guess my error was not including the "ax" for all. It was pretty informative. I can see where applications like itunes and retrospect have running processes. I think I can make a copy of the files that appear to be running and get a good idea what should be running on my machine at work.

You mentioned that everything could look ok if someone had gained root access. I then recalled some references I had read long ago in "The Hacker Crackdown" that said that a good hack could actually make running processes look innocent. Out loud i said "Oh yeaaah" and a light went on.

So my question for anyone who might know it is:

I assume I can compare file sizes and dates to determine if a file has been changed. The real trick will be knowing which files *should* be there. I guess i can run a clean install on another Mac and print a file listing to see what shows up afterwards.

I am guessing I will also have to go back and run fsck numerous times until I get no errors.

The book I bought is extremely limited. Having several flavors of Unix around I guess my best bet would be to find some sites dealing with berkley unix. 

The old *modified* expression from the Oldsmobile commercial applies here: "This is not your fathers Macintosh!"

I use to feel pretty confident about the OS. Now I feel like I am a baby starting to walk all over again. 

I realize this is probably pretty basic stuff for all you brainiacs but I truly appreciate everyone who has taken the time to respond to my posts.

John


----------



## nkuvu (Apr 27, 2002)

Well one thing to consider is that to get an accurate idea of what _should_ be running on your system, you'll have to install all of the same programs on the "clean" computer as the suspected one.  There may be some daemons on your suspect computer that are completely innocent, having been installed by one of your main programs.

As far as books go, I have always found O'Reilly books to be excellent.  They do have books on Unix security, which deal with general unices.  I don't buy directly from O'Reilly, I use http://www.bookpool.com -- and no, I don't work for either company.  

I'd suggest looking into security information sources before you start trying to identify running processes.  I am not even sure if you'd be able to find security holes that way.  Once again the IANASE (I am not a security expert) statement comes into play...

This is a totally new OS, for more than just you.  I am familiar with Unix, but not Macs, so I am on a little firmer ground.  But there is still a lot I don't know.


----------



## nkuvu (Apr 28, 2002)

Where are the logs kept, testuser?


----------

