# Have I been hacked?



## mazzy (Jun 8, 2006)

I've bought a Mac Mini a couple of months ago because I'd been repeatedly hacked using Windows XP.  I'd been told that Mac's were hack proof.  

I swear the day I got this, I had a user named Troy logged on.  (Troy as in trojan?)  I've made many attempts to do an erase and install, talked to Mac help desk...they were absolutely no help.  They just repeated over and over that Mac's don't get viruses and don't get hacked.

I'm so freaking frustrated.  I have the same thing as before.  I always suspected that I had a linux  rootkit on my xp machine.  Too many files I had were either linux or wine.  If I edited them, they immediately reappeared with a ~.  Can't delete cookies or cache, iconcache, fontcache, netboot. etc.....  

Same thing on this machine.  I'm not part of a network, but I have a network installed.  I'm not a server, but I have a server installed.  I try to find info on certain files on the web, but I get redirected.  Nothing works like it's supposed to.  


I'm desperate!


----------



## fryke (Jun 8, 2006)

Okay. Can you reformulate the question, please?  ... Leave out anything about prior experiences with Windows and/or linux, because right now, we just want to look at your Mac mini.

Which model is it? intel or PowerPC, how much RAM etc.? Which operating system version is installed? And what _exactly_ are the current signs of some abuse of the computer?

Just to put things right here: It's not _impossible_ that someone would hack into your system. Depending on what services you have running which let outsiders gain (wanted) access to your computer, you also open some doors for _unwanted_ access. I.e.: If your computer is listening on the ports for Windows Sharing, you basically have the package Samba running with _its_ share of vulnerabilities, you know... But that's all theoretical: Tell us what you _have_ running (Sharing preference pane should tell you) and why.

There _are_ currently no known viruses for the Mac in the wild. No worms or spyware etc. either. But that doesn't mean that _theoretically_ some vulnerabilities exist and that _theoretically_, an attack to your computer could have been performed successfully. However: It's rather unlikely. So tell!


----------



## symphonix (Jun 8, 2006)

mazzy said:
			
		

> I'm not part of a network, but I have a network installed.  I'm not a server, but I have a server installed.  I try to find info on certain files on the web, but I get redirected.  Nothing works like it's supposed to.
> 
> I'm desperate!



I'm not sure I understand that. If you're referring to the "Network" icon that comes up under "Computer" then that is normal and appears regardless of whether you are connected to a network or not. As for servers, what are you seeing that makes you think you "have a server installed". Mac OS X (not server) comes with several servers installed that can be switched on easily through the Sharing preference panel. And as for "certain files on the web" can you give us a bit more info?


----------



## mazzy (Jun 11, 2006)

Machine Name:	Mac mini
  Machine Model:	Macmini1,1
  CPU Type:	Intel Core Duo
  Number Of Cores:	2
  CPU Speed:	1.66 GHz
  L2 Cache (shared):	2 MB
  Memory:	512 MB
  Bus Speed:	667 MHz
  Boot ROM Version:	MM11.004B.B00
  Serial Number:	YM609BV6U36
  SMC Version:	1.3f2

I tried again to erase and install tonight, and my log is posted below.  My first attempts to connect to the internet didn't work.  My system wants to automatically connect to 169.254.216.201, which I believe is my local link.  I've tried to download and install a couple of programs, but I get a warning that they won't mount because they aren't recognized.

As to why do I think I'm a server?  Because when I was hacked on win XP, I became a game and music server.  Some idiot kept changing my background picture on my desktop, leaving stupid messages like "catch me if you can", and changing my password.  My computer even yelled at me..."Hey (name), Hey (name) from (city).  Name and city were correct and that really scared me!  I'm still paranoid, so with problems now on mac, I really wonder.  Especially when airport won't stay closed.

My network includes Library and Servers.  Servers includes cpe-(my ip address).gt.res.rr.com.  This includes everything on my computer.  I also have a tftp boot which includes everything on my computer, and a net boot.   I'm really ignorant about mac and unix, but I've been burned too many times!
Thanks for your help!

-------------------------------------------------------------------------------------
Jun 11 02:09:01 localhost kernel[0]: AppleACPICPU: ProcessorApicId=0 LocalApicId=0 Enabled
Jun 11 02:09:01 localhost kernel[0]: AppleACPICPU: ProcessorApicId=1 LocalApicId=1 Enabled
Jun 11 02:09:01 localhost kernel[0]: Copyright (c) 1982, 1986, 1989, 1991, 1993
Jun 11 02:09:01 localhost kernel[0]: The Regents of the University of California. All rights reserved.
Jun 11 02:09:01 localhost kernel[0]: using 1262 buffer headers and 1262 cluster IO buffer headers
Jun 11 02:09:01 localhost kernel[0]: Enabling XMM register save/restore and SSE/SSE2 opcodes
Jun 11 02:09:01 localhost kernel[0]: IOAPIC: Version 0x20 Vectors 0:23
Jun 11 02:09:01 localhost kernel[0]: Started CPU 01
Jun 11 02:09:01 localhost kernel[0]: ACPI: System State [S0 S3 S4 S5] (S3)
Jun 11 02:09:01 localhost kernel[0]: Security auditing service present
Jun 11 02:09:01 localhost kernel[0]: BSM auditing present
Jun 11 02:09:01 localhost kernel[0]: disabled
Jun 11 02:09:01 localhost kernel[0]: rooting via boot-uuid from /chosen: F4CD6635-1D0E-475F-B513-53B3665C7906
Jun 11 02:09:01 localhost kernel[0]: Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOResources</string><key>IOResourceMatch</key><string ID="2">boot-uuid-media</string></dict>
Jun 11 02:09:01 localhost kernel[0]: FireWire (OHCI) Lucent ID 5811 PCI now active, GUID 0016cbfffe586f76; max speed s400.
Jun 11 02:09:01 localhost kernel[0]: Got boot device = IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/SATA@1F,2/AppleAHCI/AppleAHCIPort@2/IOAHCIDevice@0/AppleAHCIDiskDriver/IOAHCIBlockStorageDevice/IOBlockStorageDriver/FUJITSU MHV2080BHPL Media/IOGUIDPartitionScheme/Apple_HFS_Untitled_1@2
Jun 11 02:09:01 localhost kernel[0]: BSD root: disk0s2, major 14, minor 2
Jun 11 02:09:01 localhost kernel[0]: CSRHIDTransitionDriver:robe: 
Jun 11 02:09:01 localhost kernel[0]: CSRHIDTransitionDriver::start before command
Jun 11 02:09:01 localhost kernel[0]: CSRHIDTransitionDriver::stop
Jun 11 02:09:01 localhost kernel[0]: IOBluetoothHCIController::start Idle Timer Stopped
Jun 11 02:09:01 localhost kernel[0]: Jettisoning kernel linker.
Jun 11 02:09:01 localhost kernel[0]: Resetting IOCatalogue.
Jun 11 02:09:01 localhost kernel[0]: Matching service count = 4
Jun 11 02:09:01 localhost kernel[0]: Matching service count = 4
Jun 11 02:09:01 localhost kernel[0]: Matching service count = 4
Jun 11 02:09:01 localhost kernel[0]: Matching service count = 4
Jun 11 02:09:01 localhost kernel[0]: Matching service count = 4
Jun 11 02:09:01 localhost kernel[0]: Previous Shutdown Cause: 3
Jun 11 02:09:01 localhost kernel[0]: mac 10.3 phy 6.1 radio 10.2
Jun 11 02:09:01 localhost kernel[0]: IPv6 packet filtering initialized, default to accept, logging disabled
Jun 11 02:09:01 localhost mDNSResponder-108 (Jan 14 2006 02: 59:21)[32]: starting
Jun 11 02:09:01 localhost memberd[39]: memberd starting up
Jun 11 02:09:01 localhost DirectoryService[44]: Launched version 2.1 (v353.1)
Jun 11 02:09:01 localhost lookupd[43]: lookupd (version 369.5) starting - Sun Jun 11 02:09:01 2006
Jun 11 02:09:02 localhost configd[36]: com.apple.SystemConfiguration.DynamicPowerStep load failed
Jun 11 02:09:02 localhost diskarbitrationd[38]: disk0s2    hfs      B98C9278-3B51-3D3F-AC1B-35B6E725A9C2 Macintosh HD            /
Jun 11 02:09:02 localhost kernel[0]: yukonosx: Ethernet address 00:16:cb:a2:a0:a9
Jun 11 02:09:02 localhost kernel[0]: AirPort_Athr5424: Ethernet address 00:16:cb:04:b6:3b
Jun 11 02:09:02 localhost lookupd[61]: lookupd (version 369.5) starting - Sun Jun 11 02:09:02 2006
Jun 11 02:09:02 roxys-computer kernel[0]: unable to start recv logic
Jun 11 02:09:02 roxys-computer kernel[0]: unable to start recv logic
Jun 11 02:09:02 roxys-computer kernel[0]: display: Not usable
Jun 11 02:09:02 roxys-computer configd[36]: setting hostname to "roxys-computer.local"
Jun 11 02:09:03 roxys-computer kernel[0]: [HCIController][setupHardware] AFH Is Supported
Jun 11 02:09:03 roxys-computer /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow: Login Window Application Started
Jun 11 02:09:04 roxys-computer loginwindow[65]: Login Window Started Security Agent
Jun 11 02:09:05 roxys-computer mDNSResponder: Adding browse domain local.
Jun 11 02:09:07 roxys-computer kernel[0]: (46: SystemStarter)tfp: failed on 0:
Jun 11 02:09:07 roxys-computer kernel[0]: (46: SystemStarter)tfp: failed on 0:
Jun 11 02:09:50 roxys-computer kernel[0]: AppleYukon: error - 2 Pair Downshift detected
Jun 11 02:09:50 roxys-computer kernel[0]: AppleYukon - en0 link active, 100-Mbit, full duplex, symmetric flow control enabled
Jun 11 02:09:52 roxys-computer configd[36]: executing /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/enable-network
Jun 11 02:09:52 roxys-computer configd[36]: posting notification com.apple.system.config.network_change
Jun 11 02:09:52 roxys-computer lookupd[141]: lookupd (version 369.5) starting - Sun Jun 11 02:09:52 2006
Jun 11 02:09:53 roxys-computer configd[36]: setting hostname to "cpe-67-10-116-128.gt.res.rr.com"
Jun 11 02:09:54 roxys-computer configd[36]:   target=enable-network: disabled


    mail.log:

      Description: Fax notification email log
      Size: 0 bytes
      Last Modified: 6/11/06 12:15 AM
      Location: /var/log/mail.log
      Recent Contents: 

    access_log:

      Description: Printer access log
      Size: 3.22 KB
      Last Modified: 6/11/06 2:39 AM
      Location: /var/log/cups/access_log
      Recent Contents: localhost - - [10/Jun/2006:22:15:47 -0700] "POST / HTTP/1.1" 200 152
localhost - - [10/Jun/2006:22:15:47 -0700] "POST / HTTP/1.1" 200 152
localhost - - [10/Jun/2006:22:15:47 -0700] "POST / HTTP/1.1" 200 75
localhost - - [10/Jun/2006:22:15:55 -0700] "POST / HTTP/1.1" 200 152
localhost - - [10/Jun/2006:22:15:55 -0700] "POST / HTTP/1.1" 200 152
localhost - - [10/Jun/2006:22:15:55 -0700] "POST / HTTP/1.1" 200 75
localhost - - [10/Jun/2006:22:16:05 -0700] "POST / HTTP/1.1" 200 152
localhost - - [10/Jun/2006:22:16:05 -0700] "POST / HTTP/1.1" 200 152
localhost - - [10/Jun/2006:22:16:05 -0700] "POST / HTTP/1.1" 200 152
localhost - - [10/Jun/2006:22:16:05 -0700] "POST / HTTP/1.1" 200 152
localhost - - [10/Jun/2006:22:16:05 -0700] "POST / HTTP/1.1" 200 75
localhost - - [10/Jun/2006:22:16:05 -0700] "POST / HTTP/1.1" 200 75
localhost - - [11/Jun/2006:00:32:17 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:00:32:17 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:00:32:17 -0500] "POST / HTTP/1.1" 200 75
localhost - - [11/Jun/2006:00:48:07 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:00:48:07 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:00:48:07 -0500] "POST / HTTP/1.1" 200 75
localhost - - [11/Jun/2006:00:48:07 -0500] "POST / HTTP/1.1" 200 183
localhost - - [11/Jun/2006:00:48:42 -0500] "POST / HTTP/1.1" 200 183
localhost - - [11/Jun/2006:00:51:34 -0500] "POST / HTTP/1.1" 200 183
localhost - - [11/Jun/2006:00:51:50 -0500] "POST / HTTP/1.1" 200 183
localhost - - [11/Jun/2006:00:52:13 -0500] "POST / HTTP/1.1" 200 183
localhost - - [11/Jun/2006:00:52:47 -0500] "POST / HTTP/1.1" 200 183
localhost - - [11/Jun/2006:00:53:00 -0500] "POST / HTTP/1.1" 200 183
localhost - - [11/Jun/2006:00:54:13 -0500] "POST / HTTP/1.1" 200 183
localhost - - [11/Jun/2006:00:54:24 -0500] "POST / HTTP/1.1" 200 183
localhost - - [11/Jun/2006:01:07:49 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:01:07:50 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:01:07:50 -0500] "POST / HTTP/1.1" 200 75
localhost - - [11/Jun/2006:01:07:52 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:01:07:52 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:01:07:52 -0500] "POST / HTTP/1.1" 200 75
localhost - - [11/Jun/2006:01:17:01 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:01:17:01 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:01:17:01 -0500] "POST / HTTP/1.1" 200 75
localhost - - [11/Jun/2006:01:17:04 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:01:17:04 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:01:17:04 -0500] "POST / HTTP/1.1" 200 75
localhost - - [11/Jun/2006:02:09:07 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:02:09:07 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:02:09:07 -0500] "POST / HTTP/1.1" 200 75
localhost - - [11/Jun/2006:02:09:08 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:02:09:08 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:02:09:08 -0500] "POST / HTTP/1.1" 200 75
localhost - - [11/Jun/2006:02:38:46 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:02:38:46 -0500] "POST / HTTP/1.1" 200 152
localhost - - [11/Jun/2006:02:38:46 -0500] "POST / HTTP/1.1" 200 75


    error_log:

      Description: Printer error log
      Size: 4.89 KB
      Last Modified: 6/11/06 2:09 AM
      Location: /var/log/cups/error_log
      Recent Contents: I [10/Jun/2006:22:15:41 -0700] Listening to 7f000001:631
I [10/Jun/2006:22:15:41 -0700] Listening to b00f3000:0
I [10/Jun/2006:22:15:42 -0700] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [10/Jun/2006:22:15:42 -0700] Configured for up to 100 clients.
I [10/Jun/2006:22:15:42 -0700] Allowing up to 100 client connections per host.
I [10/Jun/2006:22:15:42 -0700] Full reload is required.
I [10/Jun/2006:22:15:42 -0700] Full reload complete.
I [10/Jun/2006:22:15:43 -0700] Printer sharing is off and there are no jobs pending, will restart on demand. Exiting.
I [10/Jun/2006:22:15:46 -0700] Listening to 7f000001:631
I [10/Jun/2006:22:15:46 -0700] Listening to b00f3000:0
I [10/Jun/2006:22:15:46 -0700] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [10/Jun/2006:22:15:46 -0700] Configured for up to 100 clients.
I [10/Jun/2006:22:15:46 -0700] Allowing up to 100 client connections per host.
I [10/Jun/2006:22:15:46 -0700] Full reload is required.
I [10/Jun/2006:22:15:46 -0700] Full reload complete.
E [11/Jun/2006:00:48:07 -0500] get_printer_attrs: resource name '/printers/ ' no good!
E [11/Jun/2006:00:48:42 -0500] get_printer_attrs: resource name '/printers/ ' no good!
E [11/Jun/2006:00:51:34 -0500] get_printer_attrs: resource name '/printers/ ' no good!
E [11/Jun/2006:00:51:50 -0500] get_printer_attrs: resource name '/printers/ ' no good!
E [11/Jun/2006:00:52:13 -0500] get_printer_attrs: resource name '/printers/ ' no good!
E [11/Jun/2006:00:52:47 -0500] get_printer_attrs: resource name '/printers/ ' no good!
E [11/Jun/2006:00:53:00 -0500] get_printer_attrs: resource name '/printers/ ' no good!
E [11/Jun/2006:00:54:13 -0500] get_printer_attrs: resource name '/printers/ ' no good!
E [11/Jun/2006:00:54:24 -0500] get_printer_attrs: resource name '/printers/ ' no good!
I [11/Jun/2006:01:06:22 -0500] Scheduler shutting down normally.
I [11/Jun/2006:01:07:44 -0500] Listening to 7f000001:631
I [11/Jun/2006:01:07:44 -0500] Listening to e00a3000:0
I [11/Jun/2006:01:07:44 -0500] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [11/Jun/2006:01:07:44 -0500] Configured for up to 100 clients.
I [11/Jun/2006:01:07:44 -0500] Allowing up to 100 client connections per host.
I [11/Jun/2006:01:07:44 -0500] Full reload is required.
I [11/Jun/2006:01:07:45 -0500] Full reload complete.
I [11/Jun/2006:01:07:45 -0500] Printer sharing is off and there are no jobs pending, will restart on demand. Exiting.
I [11/Jun/2006:01:07:49 -0500] Listening to 7f000001:631
I [11/Jun/2006:01:07:49 -0500] Listening to e00a3000:0
I [11/Jun/2006:01:07:49 -0500] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [11/Jun/2006:01:07:49 -0500] Configured for up to 100 clients.
I [11/Jun/2006:01:07:49 -0500] Allowing up to 100 client connections per host.
I [11/Jun/2006:01:07:49 -0500] Full reload is required.
I [11/Jun/2006:01:07:49 -0500] Full reload complete.
I [11/Jun/2006:01:16:56 -0500] Listening to 7f000001:631
I [11/Jun/2006:01:16:56 -0500] Listening to e00a3000:0
I [11/Jun/2006:01:16:56 -0500] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [11/Jun/2006:01:16:56 -0500] Configured for up to 100 clients.
I [11/Jun/2006:01:16:56 -0500] Allowing up to 100 client connections per host.
I [11/Jun/2006:01:16:56 -0500] Full reload is required.
I [11/Jun/2006:01:16:56 -0500] Full reload complete.
I [11/Jun/2006:01:16:56 -0500] Printer sharing is off and there are no jobs pending, will restart on demand. Exiting.
I [11/Jun/2006:01:17:01 -0500] Listening to 7f000001:631
I [11/Jun/2006:01:17:01 -0500] Listening to e00a3000:0
I [11/Jun/2006:01:17:01 -0500] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [11/Jun/2006:01:17:01 -0500] Configured for up to 100 clients.
I [11/Jun/2006:01:17:01 -0500] Allowing up to 100 client connections per host.
I [11/Jun/2006:01:17:01 -0500] Full reload is required.
I [11/Jun/2006:01:17:01 -0500] Full reload complete.
I [11/Jun/2006:02:07:58 -0500] Scheduler shutting down normally.
I [11/Jun/2006:02:09:07 -0500] Listening to 7f000001:631
I [11/Jun/2006:02:09:07 -0500] Listening to e00a3000:0
I [11/Jun/2006:02:09:07 -0500] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [11/Jun/2006:02:09:07 -0500] Configured for up to 100 clients.
I [11/Jun/2006:02:09:07 -0500] Allowing up to 100 client connections per host.
I [11/Jun/2006:02:09:07 -0500] Full reload is required.
I [11/Jun/2006:02:09:07 -0500] Full reload complete.
I [11/Jun/2006:02:09:07 -0500] Printer sharing is off and there are no jobs pending, will restart on demand. Exiting.
I [11/Jun/2006:02:09:07 -0500] Listening to 7f000001:631
I [11/Jun/2006:02:09:07 -0500] Listening to e00a3000:0
I [11/Jun/2006:02:09:07 -0500] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [11/Jun/2006:02:09:07 -0500] Configured for up to 100 clients.
I [11/Jun/2006:02:09:07 -0500] Allowing up to 100 client connections per host.
I [11/Jun/2006:02:09:07 -0500] Full reload is required.
I [11/Jun/2006:02:09:07 -0500] Full reload complete.


    install.log:

      Description: Installer log
      Size: 55.68 KB
      Last Modified: 6/11/06 12:22 AM
      Location: /var/log/install.log
      Recent Contents: ...
Jun 10 22:22:47 localhost : postflight[244]: 
Jun 10 22:22:47 localhost : Removing temporary directory "/private/tmp/AppleIntermediateCodec.pkg.199NZGt8k"
Jun 10 22:22:47 localhost : Finalize disk "Macintosh HD"
Jun 10 22:22:47 localhost : Notifying system of updated components
Jun 10 22:22:47 localhost : TOTAL: Packages report 13424 files, 13424 actual files written
Jun 10 22:22:48 localhost : Private/Total = (5.0MB, 64.9MB),  Heap/Total = (2.1MB, 17.5MB),  Regions(malloc, private) = (29, 36)
Jun 10 22:22:48 localhost : It took 327.399510 seconds to successfully install "Mac OS X" (3 pkg(s))
Jun 10 22:22:48 localhost : 	It took 1.026814 seconds to Configuring volume "Macintosh HD" (dm prepare*disk)
Jun 10 22:22:48 localhost : 	It took 2.298068 seconds to Install Apple Intermediate Codec: 20 elements
Jun 10 22:22:48 localhost : 		It took 2.296421 seconds to successfully Install package Apple Intermediate Codec
Jun 10 22:22:48 localhost : 			It took 0.463971 seconds to Build install plan (& redirected paths)
Jun 10 22:22:48 localhost : 			It took 0.034909 seconds to Evaluating versions of bundles
Jun 10 22:22:48 localhost : 			It took 1.408027 seconds to Assembling temporary receipt
Jun 10 22:22:48 localhost : 			It took 0.059582 seconds to Collect path info (ATS, Sec Equiv, Kext, Pref Panes)
Jun 10 22:22:48 localhost : 			It took 0.257772 seconds to Write files
Jun 10 22:22:48 localhost : 			It took 0.071128 seconds to Assembling receipt
Jun 10 22:22:48 localhost : 	It took 14.204110 seconds to Install iDVD: 22 elements
Jun 10 22:22:48 localhost : 		It took 14.202082 seconds to successfully Install package iDVD
Jun 10 22:22:48 localhost : 			It took 1.886113 seconds to Build install plan (& redirected paths)
Jun 10 22:22:48 localhost : 			It took 0.054874 seconds to Evaluating versions of bundles
Jun 10 22:22:48 localhost : 			It took 2.226758 seconds to Assembling temporary receipt
Jun 10 22:22:48 localhost : 			It took 0.220101 seconds to Collect path info (ATS, Sec Equiv, Kext, Pref Panes)
Jun 10 22:22:48 localhost : 			It took 8.483777 seconds to Write files
Jun 10 22:22:48 localhost : 			It took 1.018322 seconds to run postinstall script for iDVD
Jun 10 22:22:48 localhost : 			It took 0.310901 seconds to Assembling receipt
Jun 10 22:22:48 localhost : 	It took 308.208766 seconds to Install iDVD Themes: 20 elements
Jun 10 22:22:48 localhost : 		It took 308.206872 seconds to successfully Install package iDVD Themes
Jun 10 22:22:48 localhost : 			It took 2.040585 seconds to Build install plan (& redirected paths)
Jun 10 22:22:48 localhost : 			It took 0.167489 seconds to Evaluating versions of bundles
Jun 10 22:22:48 localhost : 			It took 2.189642 seconds to Assembling temporary receipt
Jun 10 22:22:48 localhost : 			It took 0.247062 seconds to Collect path info (ATS, Sec Equiv, Kext, Pref Panes)
Jun 10 22:22:48 localhost : 			It took 302.891012 seconds to Write files
Jun 10 22:22:48 localhost : 			It took 0.668531 seconds to Assembling receipt
Jun 10 22:22:48 localhost : 	It took 0.397642 seconds to run postflight script for Apple Intermediate Codec
Jun 10 22:22:48 localhost : 	It took 0.755461 seconds to run postflight script for iDVD
Jun 10 22:22:48 localhost : 	It took 0.483774 seconds to run postflight script for iDVD Themes
Jun 10 22:22:48 localhost : Jun 10 22:22:48 localhost : Summary Information
Jun 10 22:22:48 localhost : Type           Elapsed time (sec)
Jun 10 22:22:48 localhost :           patch           0.000122
Jun 10 22:22:48 localhost :            zero           0.022996
Jun 10 22:22:48 localhost :          script           2.655199
Jun 10 22:22:48 localhost :         extract           311.632561
Jun 10 22:22:48 localhost :          config           5.178835
Jun 10 22:22:48 localhost :         receipt           6.874987
Jun 10 22:22:48 localhost :            disk           1.029241
Jun 10 22:22:48 localhost :         install           324.710944
Jun 10 22:22:48 localhost : Jun 10 22:22:48 localhost : Starting installation:
Jun 10 22:22:48 localhost : Finalizing installation.
Jun 10 22:22:48 localhost : Registering applications
Jun 10 22:22:48 localhost : Registered /Applications/iDVD.app.
Jun 10 22:22:48 localhost : Registered /Library/Documentation/Applications/iDVD/iDVD Getting Started.app.
Jun 10 22:22:48 localhost : Private/Total = (5.0MB, 65.4MB),  Heap/Total = (2.1MB, 17.5MB),  Regions(malloc, private) = (29, 37)
Jun 10 22:22:48 localhost : It took 0.136199 seconds to successfully End of Install Jobs
Jun 10 22:22:48 localhost : 	It took 0.109910 seconds to <IFAppRegisterElement: 0x3c81d0>
Jun 10 22:22:48 localhost : 	It took 0.023683 seconds to Send Install Completed notification "Finished install."
Jun 10 22:22:48 localhost : Jun 10 22:22:48 localhost : Summary Information
Jun 10 22:22:48 localhost : Type           Elapsed time (sec)
Jun 10 22:22:48 localhost :     AppRegister           0.109910
Jun 10 22:22:48 localhost :            zero           0.026289
Jun 10 22:22:48 localhost :


----------



## mazzy (Jun 11, 2006)

Maybe what I posted earlier provided useless information. Sorry!

I opened a file named BootX using text editor.  I begins like this--

<CHRP-BOOT>
<COMPATIBLE>
MacRISC MacRISC3 MacRISC4
</COMPATIBLE>
<DESCRIPTION>
Boot Loader for Mac OS X.
</DESCRIPTION>
<OS-BADGE-ICONS>

It also included this--

Mac OS X Loader


----------



## mazzy (Jun 11, 2006)

Ok, the entire text didn't upload.  And it doesn't appear that I was able to edit it.  If I'm making duplicate post, I'm so sorry.  I'm having so many problems that I can barely stay connected to the net.

<CHRP-BOOT>
<COMPATIBLE>
MacRISC MacRISC3 MacRISC4
</COMPATIBLE>
<DESCRIPTION>
Boot Loader for Mac OS X.
</DESCRIPTION>
<OS-BADGE-ICONS>

It also included this--

</OS-BADGE-ICONS>
<BOOT-SCRIPT>
load-base
begin
 dup 6 " &lt;/CHRP" $= if
  6 + dup 6 " -BOOT&gt;" $= if
   8 + true
  else
   false
  then
 else
  1+ false
 then
until
( xcoff-base )
load-size over load-base - -
( xcoff-base xcoff-size )
load-base swap move
init-program go
</BOOT-SCRIPT>
</CHRP-BOOT>


----------



## Satcomer (Jun 11, 2006)

If you feel paranoid then use the OS X included firewall (System Preferences->Sharing and press the firewall start. Next CHANGE YOUR PASSWORD. Lastly create e new USER account and stop use the default Administrator account (this goes for Windows too). 

Also turn of automatic login (System Preferences->Accounts->You account->Login Options). Oh, I almost forgot, activate password checking on your Screen Saver and NEVER use or activate the Root account.

Welcome to the first lesson in computer security. 101 more lessons to go.


----------



## DeltaMac (Jun 12, 2006)

Why did you single out BootX (which is used by the system), among the thousands of other files on your system?
Satcomer is correct, and even with the firewall left off, if all your Sharing services are turned off, it's really unlikely that anyone could hack into your system, unless you allow it.
If you downloaded and tried to install a couple of programs, maybe they are .exe files and can't run on the Mac anyway.  You cannot use any .exe files with Mac OS X.

If you are exposing yourself by using some of the on-line game sites, then that may be most of your problem. OS X, by default, is basically locked down. You can make the security even tighter if you wish, and you can also open up everything. It's your choice, and not something that could be done from a remote locationA gamer/hacker will not be able to enter your computer unless you choose to allow it.  The security link that Satcomer posted is a great place to start.


----------



## Krevinek (Jun 13, 2006)

Everything I can see in your logs looks normal.

A couple things to point out:

- Unix, Linux and MacOS X are based around the concept of services. So the concept of server/client gets a little blurred. A server is a client, and a client is a server. The only difference is what services are running, and if those services accept connections from the network or not. So when you print, you always print to a 'server', even if that server is your own machine. MacOS X is configured by default to only let your machine print, you would have to turn on printer sharing before other machines would be allowed to connect.

- The Network icon that you see is always there. You will be able to see your own machine under Servers, even if you shut down ALL network connections. While this /is/ one of the more annoying and confusing 'features'... don't worry too much. Just because you see it there, doesn't mean anyone else does. You would have to have file sharing turned on (in System Preferences, under the Sharing pane) before they would even be able to /try/ to login to your computer.

- BootX is just an application that is used to boot OS X on older PowerPC Mac computers. As far as I know, it isn't even used on Intel systems (I wouldn't delete it though), which boot slightly differently.


----------



## mazzy (Jun 14, 2006)

Thanks for y'alls input.  I don't understand Unix, but I'm trying to learn.

The reason I asked about BootX is because I had an undeletable file named BootX on my win xp machine.  I don't play games, so that's not my problem.  Whoever did this, accessed my ebay and paypal accounts.  I have real reasons for being paranoid.  

Can anyone tell explain CertificateAssistantTrustedApps.plist.  
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<array>
        <string>/System/Library/CoreServices/Certificate Assistant.app</string>
        <string>/Applications/Mail.app</string>
        <string>/Applications/iChat.app</string>
        <string>/usr/sbin/racoon</string>
</array>
</plist>

Also, can anyone tell me where I find the plist for a clean install?  I'd like to look at mine.  

Thanks again for all the help.  Y'all do a huge service to paranoids like me.  I'll probably have many more questions......hope that's ok.


----------



## crazydigger (Jun 23, 2006)

Hi!

I have a  follow-up question here re hacking.  I was trying to get on the wireless internet in school several times but each time i logged onto the available wireless sites, instead of getting a signal bar on the airport symbol, i get a photo of a little computer in the middle of the signal bar.  

I went to the Apple Store today and stupid me was told that those were other computers who were accessing my mac!!!   i hadn't turned on my firewall (it's on now) since i didn't realize that it was not automatically turned on when i bought the computer.

Anyway, my question is whether it's possible to check if another computer has indeed hacked into my system and gotten into my files? can they do that?! is there anyway for me to check "footprints" via log or something?

thanks!!


----------



## DeltaMac (Jun 23, 2006)

crazydigger said:
			
		

> I went to the Apple Store today and stupid me was told that those were other computers who were accessing my mac!!!



Amazing where people get these strange ideas, and then try to convince crazydigger that idea is a fact (it is not....). That icon just means that you are accessing a computer-to-computer network, or a closed network (requiring one of those long passwords to enter), NOT some other computer hacking into your Mac! Sorry, you were blown off by someone at an Apple Store. Don't always accept an answer from one of those that roam around in an Apple Store (or get a 2nd opinion from a 'genius'). You don't always get a correct answer at an Apple Store.


----------



## crazydigger (Jun 23, 2006)

wow!! super thanks delta!! next time, i'll just run to this forum for questions instead of going to the apple store!  

in any event, how will you know that the computer is getting hacked?


----------



## Satcomer (Jun 24, 2006)

crazydigger said:
			
		

> Hi!
> 
> I have a  follow-up question here re hacking.  I was trying to get on the wireless internet in school several times but each time i logged onto the available wireless sites, instead of getting a signal bar on the airport symbol, i get a photo of a little computer in the middle of the signal bar.



That is Bonjour finding other computers, I think. Also check your System Preferences  Sharing pane and make sure in the Internet tab that you are not sharing the internet with others.

All the logs you want are in /Applications/Utilities/Console.


----------



## symphonix (Jun 26, 2006)

I also couldn't see anything unusual in your logs, and I'm still not sure what makes you think you have a problem. You've said a few things like "... and now I've started having problems" but you haven't actually told us much specific. BootX is a perfectly normal file, the Network icon is always there, and the CertificateHelper plist is just the settings for how your browser handles certificates. Nothing too out of the ordinary there.

So yes, if you do have anything that you're not sure about, start by asking about the symptom or problem you're seeing, and then the experts on the forums will point you in the right direction.


----------



## mazzy (Jul 7, 2006)

Thank's for everyone's input.  And sorry if my questions are dumb, but I spent a fortune repairing my pc over and over, and couldn't keep a persistent hacker out.  He'd disble my firewall and all AV programs.  OSX is all new to me and if my hacker hasn't already gotten in, I'd like to keep him out.  

1.  My internet times out after a very short time.  I don't know how to keep that from happening.  I had a RoadRunner  problem, but now that's taken care of, so it's not that.

2.  Airport won't stay turned off.

3.  BlueTooth likes to come back on too.

4.  What is Boot.efi?

5.  Can't customize terminal settings.

Activity Monitor shows this when running terminal--
Open Files and Ports
/Users/roxy
/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Library/CoreServices/CharacterSets/CFUnicodeData-L.mapping
/System/Library/CoreServices/CharacterSets/CFCharacterSetBitmaps.bitmap
/System/Library/CoreServices/CharacterSets/CFUniCharPropertyDatabase.data
/Library/Caches/com.apple.IntlDataCache.le.sbdl.501
/System/Library/Fonts/LucidaGrande.dfont
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/Extras2.rsrc
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/HIToolbox.rsrc
/System/Library/Contextual Menu Items/AutomatorCMM.plugin/Contents/MacOS/AutomatorCMM
/System/Library/Contextual Menu Items/FolderActionsMenu.plugin/Contents/MacOS/FolderActionsMenu
/System/Library/Contextual Menu Items/SpotlightCM.plugin/Contents/MacOS/SpotlightCM
/Library/Caches/com.apple.LaunchServices-014501.csstore
/usr/share/icu/icudt32l.dat
/System/Library/Caches/com.apple.IntlDataCache.le.kbdx
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/English.lproj/Localized.rsrc
/System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleHDAHALPlugIn.bundle/Contents/MacOS/AppleHDAHALPlugIn
/System/Library/Components/CoreAudio.component/Contents/MacOS/CoreAudio
/usr/lib/dyld
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/usr/lib/libicucore.A.dylib
/usr/lib/libobjc.A.dylib
/usr/lib/libstdc++.6.0.4.dylib
/usr/lib/libgcc_s.1.dylib
/usr/lib/libauto.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/CoreData.framework/Versions/A/CoreData
/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
/usr/lib/libncurses.5.4.dylib
/dev/null
/dev/console
/dev/console
apple.shm.notification_center
/tmp/com.apple.csseed.90
apple.shm.notification_center
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/Extras2.rsrc


/Applications/Utilities/Terminal.app/Contents/Resources/Terminal.rsrc
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/HIToolbox.rsrc
/dev/ptyp1
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/English.lproj/Localized.rsrc



So, If all of this is normal, then I'll shut up!


----------



## DeltaMac (Jul 7, 2006)

I can answer #4 - The Boot.efi file is the boot loader for OS X, used only on Intel Macs. Part of your system, it serves the same function as the bootx file (used on PowerPC Macs)


----------



## mazzy (Jul 7, 2006)

One more thing--
What is tftpboot?  /private/tftpboot/private/tftpboot/(my entire system's in this folder)

hosts file

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost 


thanks!


----------



## mazzy (Jul 7, 2006)

Thanks DeltaMac!


----------



## ex2bot (Jul 12, 2006)

Mazzy and CrazyDigger,

Use a good password! That's basic, powerful security advice. 

Use at least one capital letter.
Use at least a couple numbers.
Make your password something you can remember, but at least 7 or 8 characters long.

Don't tell anyone your password. Don't make your password obvious, like your name, your street name, kid's name, significant other's name, etc. 

Mazzy, don't click links in email. Ever. Ever. Especially from an email that says it's from your bank. Don't believe everything you read in email. Don't open files attached to emails. Ever. Ever. Ever.

Don't accept files in instant messages (chat). Ever. Ever. Ever. Don't click links in instant messages. Never. Ever.

If you follow this advice, you shouldn't have any problems.

At the same time, I know it's hard not being paranoid, but not every glitch is caused by a virus or a hacked machine. 

Finally, you're much safer on a Mac. Truth. No viruses, no spyware to speak of, no cross-Internet exploits. Relax. At least a little 

Doug


----------



## mazzy (Jul 14, 2006)

Thanks Doug.  
I don't open links in email.  In fact, I get a few hundred smam a week, so I only use webmail, and only open mail from people I absolutely trust with my life!!  My password is good, and I've never given it out knowingly, unless that typed stream thing is sending it out.  I change it often.  I'm the sole user on this computer.  I don't chat online, play online games, download music or porn, or any of the usual risky stuff.  But some things are just strange.  
For example, in usr/share/doc/postfix--
all of the files end with README except INSTALL  , OVERVIEW and RELEASE_NOTES
Each file begins with something similar.
PPoossttffiixx IInnssttaallllaattiioonn FFrroomm SSoouurrccee CCooddeePPoossttffiixx DDooccuummeennttaattiioonn
WWhhaatt yyoouu nneeeedd ttoo kknnooww aabboouutt PPoossttffiixx llooggggiinngg
PPoossttffiixx BBuuiilltt--iinn CCoonntteenntt IInnssppeeccttiioonn
...you get the idea.
Is this normal?

Why does usr/share/emacs/21.2/etc have a file named COOKIES, that is really a recipe for cookies?  It includes this email address--
From: ucdavis!lll-lcc!hplabs!parcvax!bane@ucbvax.berkeley.edu (John R. Bane)
And in usr/share/emacs/21.2/etc another name JOKES, with a bunch of dumb jokes with this email address--
From:  Don Chiasson <G.CHIASSON@DREA-XX.ARPA>
Subject: Some gnu jokes
To: jokes@DREA-XX.ARPA, gergely@DREA-XX.ARPA, broome@DREA-XX.ARPA
cc: G.CHIASSON@DREA-XX.ARPA
Message-ID: <12329394624.13.G.CHIASSON@DREA-XX.ARPA>

I've got at least a hundred more files that have strange kinda hidden things that just don't follow the rule of--
It makes SENSE to include this file, and use up VALUABLE space!

I hope I'm not using up your valuable time and space with my paranoia!

I would love your input!!

ps.  most of the names of the strange files are ALL UPPER CASE, if that means anything.


----------



## mazzy (Jul 14, 2006)

Great!!
I just found another one--  Firefox had a user profile that isn't me!

I installed Firefox last night because I couldn't get XMRadio to work with Safari.  

Firefox/Profiles/Erikdl5k.default with a 32.9 MB cache.  Doesn't even show my profile!

And I only used Firefox long enough to find out that I didn't like it!  Apparently Erik did!


----------



## DeltaMac (Jul 14, 2006)

mazzy said:


> ... Firefox had a user profile that isn't me!
> 
> Firefox/Profiles/Erikdl5k.default with a 32.9 MB cache.  Doesn't even show my profile!
> And I only used Firefox long enough to find out that I didn't like it!  Apparently Erik did!



FireFox randomly names the profile, and seeing your name there would just be a pure coincidence. You can always rename that profile folder. The name is not Erik, it's Erikdl5k. My FireFox profile has the name default.Zoy.  It's just random. Camino (another Mozilla web browser) does not use profiles at all, and you may find it more to your liking.

The various readme files are internal emacs files. Help files, sample files, etc. which most any word processor/editor will have similar files, and emacs is the unix text editor that you could also use. It's provided with your system.
You can open those readme files with TextEdit, so you can read the text clearly.


----------



## mazzy (Jul 14, 2006)

Thanks for explaining the Erik profile.  I did open the emacs files with TextEdit, and that is how the files read.  I don't understand the strange string of letters....PPoossttffiixx, etc.  And why the cookie recipe and jokes?


----------



## CharlieJ (Jul 14, 2006)

LOL, HUH!


symphonix said:


> I'm not sure I understand that. If you're referring to the "Network" icon that comes up under "Computer" then that is normal and appears regardless of whether you are connected to a network or not. As for servers, what are you seeing that makes you think you "have a server installed". Mac OS X (not server) comes with several servers installed that can be switched on easily through the Sharing preference panel. And as for "certain files on the web" can you give us a bit more info?


----------



## CharlieJ (Jul 14, 2006)

Macs are hack proof, dont worry, if your stuff's so important make backup's but I have a 7 year old G3 running osx with no problems ever!

Please stop worrying just relex, sit down and play on your mac.
If you realy want to feel safe Turn your firewall on on your router and your mac, But you realy dont need it.

Thats excactly what I was like when I switched, I was scared of it but, dont be


----------



## Satcomer (Jul 14, 2006)

Well since we are in MY DOMAIN here is OS X security for the SUPER PARANOID lesson number two (my first lesson is on the first page). 

Now for most any home user I am going to list the simple steps to getting a level that will be good for 99.8% of most any internet hack coming down the pipe by script kiddies.

1. Create a new "User" account (not another Administrator account) and use that account. When the new account asks for a password, use a password that is not a common word, has at least 8 characters, do not make it a common word, include uncommon characters.

2. Open System Preferences->Sharing and click the Firewall on. Once you do that click on the "Advanced..." button. Once the style sheet comes down put check marks in all three boxes.

3. Download an excellent Outgoing firewall called Little Snitch and buy it use it. It will monitor every outgoing signal and this will stop any signals going out of your computer.

4. Download Paranoid Android because it will check all programs launching are what they are suppose to be, not on what they appear to the eye.

5. In the Finder open the Finder's Preferences. Then click on the "Advanced"  button and "Show all file extensions". This will make all programs to show what kind of program it is. 

7. Buy and use a router with your ISP connection. Just make sure you buy a router that has firewall functions and also does firewall logging. Never connect to the net totally naked (computer wise).

8. Download a virus checker like the free ClamXav. Just to be safe in case the virus, trojan horse comes down the pike. Also you can stop yourself from sending along Windows viruses to/from your Windows using friends.  Just be warned, third party developers and virus checking programs have had a shaky time because OS X is a radically changing operating system and third party developers take time to keep catch up. Just remember this when updating OS X.

9. Open Safari and open Safari's Preferences. In the General Tab uncheck "Open "safe" files...". This will stop the automatic opening of downloaded files. This is just a smart thing to do.

In my first paragraph I said keeping safe from script kiddies. I say this because I believe if someone really wants to get into you computer, they will. Security is not a goal, it is a continuing state of mind. Remember that let it burn into your mind.

Lastly learn about the inner working of you Mac. You should start by reading books from O'Reilly Press like Switching to the Mac: The Missing Manual, Tiger Edition and Mac OS X Tiger for Unix Geeks, Third Edition. 

So this is just a little taste in what a typical Mac user should do to keep relatively secure in the MacWorld. To stay secure you must never rest on your state of security. Always keep on top of the cutting edge and even really good Window admins can even keep their Windows computer safe.


----------



## mazzy (Jul 19, 2006)

Than you Satcomer.  I downloaded Little Snitch, and these are the default settings....

Any Application		Allow TCP to 0.0.0.0 - 0.0.0.255
Any Application		Allow UDP to 0.0.0.0 - 0.0.0.255
Any Application		Allow any connection to 244.0.0.0 - 239.255.255.255
Any Application		Allow TCP to port 548 (apvovertcp) at 254.0.0.0 - 254.255.255.255
Any Application		Allow any connection to your local network
Any Application		Allow any connection to broadcast addresses
configd			Allow IPV6-ICMP connections
host			Allow UDP connection to port 53 (domain)
lookupd			Allow any connection
Mail			Allow any TCP connections
mDNSResponder		Allow UDP connections
natd			Allow DIVERT to 0.0.0.0
nmblookup		Allow UDP connections to port 137 (netbios-ns)
nslookup		Allow UDP connections
ntpd			Deny UDP connections to port 2000 (callbook)
ntpd			Allow UDP connections to port 123 (ntp)
ntpdate			Allow UDP connections to port 123 (ntp)
QuickTime Player	Allow TCP connections to port 554 (rtsp)
QuickTime Player	Allow TCP connections to port 80 (https)
Safari			Allow TCP connections to port 443 (http)
Safari			Allow TCP connections to port 80 (http)
Sherlock		Allow TCP connections to port 80 (http)
slpd			Deny any connection		
slpd			Allow UDP to your local network
SyndicationAgent	Allow TCP connections to port 80 (http) 
SystemUIServer		Allow UDP to port 10.0.0.0 - 10.0.15.255
Whois			Allow TCP connections to port 43 (nicname)

Can you tell me which of these settings need to be changed?  I've tried blocking the UDP ports, but they come back on.  Little Snitch will show both allow and deny eg
mDNSResponder		Allow UDP connections
mDNSResponder		Deny UDP connections


After installing ClamXav, I got the message --
freshclam wants to connect to dns-cac-16-01.texas.rr.com on UDP port 53 (domain)
and freshclam wants to connect to  badfish.securityminded.net (209.8.40.140) on TCP port 80 (http)
The installer log shows /ClamXav.app/Contents/MacOS/ClamXav: Java is generating its shared archive, version 1.4

Paranoid Android doesn't work at all.

I've already bought the 2 books that you mentioned, but still have problems.

Your reference to script kiddies.......
I've been repeatedly hacked by a freaky guy who put a pictures of me on his website.  I asked him to remove them, he refuses, and since then he's given me all kinds of hell.  I do think that he is a script kiddie bent on making my life miserable.  He wants to prove that he's in control.

And CJ MAC OSX IPOD.......
thanks for laughing at me.  I do understand that the network icon is normal, and that there are server programs that can be turned on and off.  
And I do understand that there are people who know more, who look down on those who know less.

And to anyone who reads this-- please, take me seriously.  I appreciate those who have offered valid advice and answered my questions even if they are dumb.


----------



## DeltaMac (Jul 19, 2006)

mazzy said:


> ...
> I've been repeatedly hacked by a freaky guy who put a pictures of me on his website.  I asked him to remove them, he refuses, and since then he's given me all kinds of hell.  I do think that he is a script kiddie bent on making my life miserable.  He wants to prove that he's in control.
> ....



Can you choose NOT to go to 'freaky guy's' web site, ever? That might help....  Do you get emails from him? Those can be blocked with a simple rule. You could also choose to complain to your ISP, if you know his email/web address.

Which of the things that you have mentioned, happened AFTER you got your Mac?


----------



## mazzy (Jul 19, 2006)

I don't go to his website.  And I don't get emails from him, unless he's sending it in the form of spam, which I delete immediately.  I have complained to my isp. They gave me a number, who gave me a number, etc, etc, etc.  Bottom line, I'm not important enough for anyone to look into it.  All of this happened before I got my mac, which is why I got the mac to begin with.  I've been very careful and I want to make sure I'm locked down.
thanks


----------



## mazzy (Jul 19, 2006)

Would you look at the following file that looks like a logfile, and tell me what you you see.
tmp.0.gPUnUt
Jul 18 21:02:35 localhost kernel[0]: hi mem tramps at 0xffe00000
Jul 18 21:02:35 localhost kernel[0]: PAE enabled
Jul 18 21:02:35 localhost kernel[0]: standard timeslicing quantum is 10000 us
Jul 18 21:02:35 localhost kernel[0]: vm_page_bootstrap: 118829 free pages
Jul 18 21:02:35 localhost kernel[0]: mig_table_max_displ = 71
Jul 18 21:02:35 localhost kernel[0]: Enabling XMM register save/restore and SSE/SSE2 opcodes
Jul 18 21:02:35 localhost kernel[0]: ACPI CA 20051117 [debug level=0 layer=0]
Jul 18 21:02:35 localhost kernel[0]: AppleACPICPU: ProcessorApicId=0 LocalApicId=0 Enabled
Jul 18 21:02:35 localhost kernel[0]: AppleACPICPU: ProcessorApicId=1 LocalApicId=1 Enabled
Jul 18 21:02:35 localhost kernel[0]: Copyright (c) 1982, 1986, 1989, 1991, 1993
Jul 18 21:02:35 localhost kernel[0]: The Regents of the University of California. All rights reserved.
Jul 18 21:02:35 localhost kernel[0]: using 1262 buffer headers and 1262 cluster IO buffer headers
Jul 18 21:02:35 localhost kernel[0]: Enabling XMM register save/restore and SSE/SSE2 opcodes
Jul 18 21:02:35 localhost kernel[0]: IOAPIC: Version 0x20 Vectors 0:23
Jul 18 21:02:35 localhost kernel[0]: Started CPU 01
Jul 18 21:02:35 localhost kernel[0]: ACPI: System State [S0 S3 S4 S5] (S3)
Jul 18 21:02:35 localhost kernel[0]: Security auditing service present
Jul 18 21:02:35 localhost kernel[0]: BSM auditing present
Jul 18 21:02:35 localhost kernel[0]: disabled
Jul 18 21:02:35 localhost kernel[0]: rooting via boot-uuid from /chosen: 957987C7-CC08-43E0-A0A6-D28DB369D591
Jul 18 21:02:35 localhost kernel[0]: Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOResources</string><key>IOResourceMatch</key><string ID="2">boot-uuid-media</string></dict>
Jul 18 21:02:35 localhost kernel[0]: USB caused wake event (EHCI)
Jul 18 21:02:35 localhost kernel[0]: FireWire (OHCI) Lucent ID 5811 PCI now active, GUID 0016cbfffe586f76; max speed s400.
Jul 18 21:02:35 localhost kernel[0]: Got boot device = IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/SATA@1F,2/AppleAHCI/AppleAHCIPort@2/IOAHCIDevice@0/AppleAHCIDiskDriver/IOAHCIBlockStorageDevice/IOBlockStorageDriver/FUJITSU MHV2080BHPL Media/IOGUIDPartitionScheme/Apple_HFS_Untitled_1@2
Jul 18 21:02:35 localhost kernel[0]: BSD root: disk0s2, major 14, minor 1
Jul 18 21:02:35 localhost kernel[0]: CSRHIDTransitionDriver:robe: 
Jul 18 21:02:35 localhost kernel[0]: CSRHIDTransitionDriver::start before command
Jul 18 21:02:35 localhost kernel[0]: CSRHIDTransitionDriver::stop
Jul 18 21:02:35 localhost kernel[0]: Jettisoning kernel linker.
Jul 18 21:02:35 localhost kernel[0]: Resetting IOCatalogue.
Jul 18 21:02:35 localhost kernel[0]: Matching service count = 4
Jul 18 21:02:35 localhost kernel[0]: Matching service count = 4
Jul 18 21:02:35 localhost kernel[0]: Matching service count = 4
Jul 18 21:02:35 localhost kernel[0]: Matching service count = 4
Jul 18 21:02:35 localhost kernel[0]: Matching service count = 4
Jul 18 21:02:35 localhost kernel[0]: mac 10.3 phy 6.1 radio 10.2
Jul 18 21:02:35 localhost kernel[0]: IOBluetoothHCIController::start Idle Timer Stopped
Jul 18 21:02:35 localhost kernel[0]: Previous Shutdown Cause: 3
Jul 18 21:02:33 localhost memberd[62]: memberd starting up
Jul 18 21:02:33 localhost mDNSResponder-108 (Jan 14 2006 02: 59:21)[55]: starting
Jul 18 21:02:35 localhost lookupd[66]: lookupd (version 369.5) starting - Tue Jul 18 21:02:35 2006
Jul 18 21:02:36 localhost configd[59]: com.apple.SystemConfiguration.DynamicPowerStep load failed
Jul 18 21:02:36 localhost diskarbitrationd[61]: disk0s2    hfs      3B00E13D-1C5A-3F93-82C6-8F3B7339EC1D Macintosh HD            /
Jul 18 21:02:37 localhost kernel[0]: yukonosx: Ethernet address 00:16:cb:a2:a0:a9
Jul 18 21:02:37 localhost DirectoryService[70]: Launched version 2.1 (v353.1)
Jul 18 21:02:37 localhost kernel[0]: AirPort_Athr5424: Ethernet address 00:16:cb:04:b6:3b
Jul 18 21:02:38 localhost configd[59]: WirelessAirPortDeviceNameCopy(): no AirPort driver found
Jul 18 21:02:38 localhost lookupd[84]: lookupd (version 369.5) starting - Tue Jul 18 21:02:38 2006
Jul 18 21:02:40 localhost kernel[0]: display: Not usable
Jul 18 21:02:41 localhost kernel[0]: [HCIController][setupHardware] AFH Is Supported
Jul 18 21:02:41 localhost mDNSResponder: Couldn't read user-specified Computer Name; using default &#8218;ÄúMacintosh-0016CBA2A0A9&#8218;Äù instead
Jul 18 21:02:41 localhost mDNSResponder: Couldn't read user-specified local hostname; using default &#8218;ÄúMacintosh-0016CBA2A0A9.local&#8218;Äù instead
Jul 18 21:02:42 localhost mDNSResponder: Adding browse domain local.
Jul 18 21:02:42 localhost KernelEventAgent[54]: tid 00000000 received unknown event (256)
Jul 18 21:02:49 localhost /System/Library/PrivateFrameworks/Admin.framework/Resources/UpdateSettingsTool: UpdateSettings Error: makequeues -u returned 256
Jul 18 21:02:54 localhost /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow: Login Window Application Started
Jul 18 21:02:55 localhost configd[59]: WirelessAirPortDeviceNameCopy(): no AirPort driver found
Jul 18 21:02:56 localhost configd[59]: WirelessAirPortDeviceNameCopy(): no AirPort driver found
Jul 18 21:03:07 localhost /System/Library/CoreServices/Setup Assistant.app/Contents/MacOS/Setup Assistant: _MDSuspendIndexing() 1
Jul 18 21:03:09 localhost /System/Library/CoreServices/Setup Assistant.app/Contents/MacOS/Setup Assistant: starting movie now\n
Jul 18 21:03:37 localhost /System/Library/CoreServices/Setup Assistant.app/Contents/MacOS/Setup Assistant: movie done now (hide)
Jul 18 21:03:44 localhost mDNSResponder: Couldn't read user-specified Computer Name; using default &#8218;ÄúMacintosh-0016CBA2A0A9&#8218;Äù instead
Jul 18 21:03:44 localhost mDNSResponder: Couldn't read user-specified local hostname; using default &#8218;ÄúMacintosh-0016CBA2A0A9.local&#8218;Äù instead
Jul 18 21:04:25 localhost ntpdate[203]: no servers can be used, exiting
Jul 18 21:05:37 roxys-computer configd[59]: setting hostname to "roxys-computer.local"
Jul 18 23:05:55 roxys-computer ntpdate[286]: can't find host time.apple.com\n
Jul 18 23:05:55 roxys-computer ntpdate[286]: no servers can be used, exiting
Jul 18 23:06:00 roxys-computer /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow: Login Window Application Started
Jul 18 23:06:05 roxys-computer loginwindow[291]: Login Window Started Security Agent
Jul 18 23:07:54 roxys-computer kernel[0]: IPv6 packet filtering initialized, default to accept, logging disabled
Jul 18 23:08:25 roxys-computer kernel[0]: (88: coreservicesd)tfp: failed on 0:
Jul 18 23:12:16 roxys-computer kernel[0]: AppleYukon - en0 link active, 100-Mbit, full duplex, symmetric flow control enabled
Jul 18 23:12:16 roxys-computer configd[59]: executing /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/enable-network
Jul 18 23:12:16 roxys-computer configd[59]: posting notification com.apple.system.config.network_change
Jul 18 23:12:16 roxys-computer lookupd[365]: lookupd (version 369.5) starting - Tue Jul 18 23:12:16 2006
Jul 18 23:12:18 roxys-computer configd[59]:   target=enable-network: disabled
Jul 18 23:14:54 roxys-computer launchd: Server 0 in bootstrap 1103 uid 0: "/usr/sbin/lookupd"[365]: exited abnormally: Hangup
Jul 18 23:14:54 roxys-computer configd[59]: posting notification com.apple.system.config.network_change
Jul 18 23:14:54 roxys-computer lookupd[413]: lookupd (version 369.5) starting - Tue Jul 18 23:14:54 2006
Jul 19 05:15:00 roxys-computer cp: error processing extended attributes: Operation not permitted
Jul 19 10:15:01 roxys-computer postfix/postqueue[494]: warning: Mail system is down -- accessing queue directly

Again, thanks for your help.


----------



## gorgeousgeorge (Jul 19, 2006)

er hi - could i just ask a quick question in this fascinating hack dialogue (that was not ironic btw) - saw something earlier about the ~ sign. I have a persistent little file that keeps appearing on my desktop with the name "~" I delete and lo & behold I notice it again at a later date. The file is only about 250kb in size.
Could it be related to the the bancos trojan i have to keep deleting everytime i run yahoos anti-spy.!! Sorry i know all this is pc rubbish but i only just bought my imac and still use the pc as an internet server to house network.
Intending to reformat hard drives of pcs at some point but curious to know what this is.
If you don't wanna answer, i guess i'll understand!!
cheers


----------



## Satcomer (Jul 20, 2006)

Mazzy from the log files I see no breakin. What I do see is you might be unplugging a USB device without first un-mounting it. I also see you might be having problems with the Apple time server. Make sure you keep open the right ports to keep the time server function. You can do this by going to your System Preferences->Sharing->Firewall and clicking on the function "Network Time". This open the port you Mac uses to access a time server.

Also re-contact your ISP about getting spam from the same location. Right down the IP number and name-server of the reoccurring spam and tell your ISP tech support to please (with sugar on op) to block email from that user. Almost every ISP I have ever had would do that if you talk nice to them. If all else fails, change your email. Plus never open any attachments you are not expecting until you can verify the person actually sent it.


----------



## mazzy (Jul 20, 2006)

Why do I need a time server?


----------



## billbaloney (Jul 20, 2006)

You don't need one, strictly speaking; the time server provides a reliable time that your machine can use to sync up its internal clock.


----------



## mazzy (Jul 20, 2006)

Thanks billbaloney......Then I'll keep that turned off.


----------



## mazzy (Jul 20, 2006)

Here is another example of strange files--
system/library/PrivateFrameworks/install.framework/versions/A/resources/defaults.hint
/*********************************************************************************
 * $Id: Default.hints,v 1.5 2005/03/02 01:25:03 shadow Exp $
 *
 * Upgrading hints for Mac OS X.  
 *
 * This file may be modified to alter the way in which Upgrader treats
 * certain files.  Files for which no hints are provided, or for which
 * the hints provided are not relevant given the actual conditions of the
 * upgrade, are handled using built-in heuristics. 
 *  
 * A hints file is an ASCII property list consisting of an array of
 * arrays. Each subarray contains a regular expression, followed by a list
 * of attributes to be applied to paths which match the expression.
 * The attempt to match a given path to suitable expressions stops when the
 * first match is found.
 *  
 * The following attributes are available:
 * 
 *  +ignore      Don't even checksum this file.  Don't mess with it no 
 *               matter what.  Children of an ignored folder are also ignored.
 *
 *
 * Attributes may be freely intermixed, except that +ignore is incompatible
 * with everything else, and the + and - version of the same attribute may
 * not be used together.
 *
 * A couple of translations are performed on the input expressions 
 * to make the expression matching look more like shell globbing:
 *
 *  ?  becomes .         Match any character
 *  *  becomes [^/]*     Match anything, but not across components
 *  \* becomes *         0 or more of preceeding expression
 *  .  becomes \.        Dots are literal
 *
 * EXCEPTION: '*' at the end of an expression with no other special characters
 * matches any filename which matches the expression up to the '*'.  This is 
 * different from the usual behavior of '*' in that multiple components may be
 * matched.
 *
 * Additionally, ^ and $ are added to the beginning and end of each entry.
 *
 * Copyright (C) 1991-2004 by Apple Computer, Inc. All Rights Reserved.
 *
 *********************************************************************************/
(
    ("/private/tmp/*", "+ignore"),
    ("/private/var/tmp/*", "+ignore"),
    ("/Mac OS 9", "+ignore"),
    ("/private/etc/mtab", "+ignore"),
    ("/usr/share/zoneinfo/localtime", "+ignore"),
	("/private/etc/localtime", "+ignore"),
    ("/private/var/vm/*", "+ignore"),
    ("/private/var/db/netinfo/*", "+ignore"),
    ("/private/var/run/*", "+ignore"),
    ("/private/var/at/*", "+ignore"),
    ("/private/var/spool/*", "+ignore"),
    ("/private/etc/dumpdates", "+ignore"),
    ("/private/etc/fstab", "+ignore"),
    ("/private/etc/iftab", "+ignore"),
    ("/private/etc/slpsa.conf", "+ignore"),
    ("/private/var/slp.regfile", "+ignore"),
    ("/private/etc/exports", "+ignore"),
    ("/private/etc/hosts.equiv", "+ignore"),
    ("/private/etc/hosts.lpd", "+ignore"),
    ("/private/etc/netgroup", "+ignore"),
    ("/private/etc/networks", "+ignore"),
    ("/private/etc/xtab", "+ignore"),
    ("/Network/Servers", "+ignore"),
    ("/Network/Servers/*", "+ignore"),
    ("/private/Network/Servers", "+ignore"),
    ("/lost+found", "+ignore"),
    ("/usr/Devices*", "+ignore"),
	("/Library/Preferences/DirectoryService/ContactsNodeConfig.plist", "+ignore"),
    ("/Library/Preferences/DirectoryService/DSLDAPPlugInConfig.clpi", "+ignore"),
    ("/Library/Preferences/DirectoryService/SearchNodeConfig.plist", "+ignore"),
	("/private/etc/mail/access", "+ignore"),
	("/private/etc/mail/access.db", "+ignore"),
)

Is this a normal file??


----------



## fryke (Jul 21, 2006)

These files are normal. Are you now *REALLY* going to look through *EVERY* bloody textfile, and if some random word springs your imgination, do you post the file's content here?! That's not normal, buddy. Yes, any UN*X contains many, many human-readable text-files with strange content. The words "library" and "access" will come up a couple of times if you're about to read those 22'500 text files ahead of you (or did you already read half of them by now?).

Please: Just stop _worrying_. Could you again tell us the problem with your computer instead? I mean: The things not working etc. Through all the unimportant text-file reading, I kinda lose track of your actual problem (besides paranoia).


----------



## ex2bot (Jul 21, 2006)

Mazzy,

Nothing will be able to install in /System without you typing in your admin password. There are TONS of goofy little text files all over Unix-type machines. It's because open-source *nix  was created as a labor of love by countless programmers. They love putting "Easter eggs" in. 

There's even a way to play Tetris with the command-line text editor called Emacs. I don't remember exactly how, but it's on the web somewhere.

Doug


----------



## mazzy (Jul 21, 2006)

Ok, Ok!!  I'll stop obsessing and leave you guys to people with real problems.  Thank you all for being patient with me.  Y'all have been great and I'm feeling much more secure and pleased for choosing a Mac.  When I have real problems, I'll be back, but for now I'm just going to relax and enjoy!

And again........Thanks!!!


----------



## Satcomer (Jul 21, 2006)

mazzy said:


> Why do I need a time server?



You will eventually. Time is kept internally and when the PRAM battery fails in the future, your time will start drifting. A time server keeps you computer on the correct timing mode.


----------



## mazzy (Jul 21, 2006)

Ok then, that's good to know.  I appreciate everyones help.


----------

