Munix hacked? Valid files for install of Leopard?

[HelloMac]

I just caught up on the other replys in the thread that I'd missed...

RE: installing software myself after clean install...

The only software I've put on the machine over the past several weeks after installs included manual updates of Adobe Flash to the current version, Little Snitch downloaded from the OBDEV site, Apple iWork from a retail version I purchased new.

For a short period I installed Tunnelblick as an application that was provided to me for VPN service by WiTopia.net. Uses OpenVPN. Leopard didn't like it much and after running for a couple of days it would eventually stop working, so i stopped using it. WiTopia support said it worked with Tiger, and looking at the Tunnelblick site, the developer notes there are problems with it with Leopard.

I've been switching off between two VPN providers. One runs on the iMac and the other on the MacBook. Both are PPTP solutions. Secure-Tunnel.com and Strong-VPN.com.

That's not to say I didn't inadvertently drop something onto the machine while surfing around the web. I know at various points in this adventure when I've tracked down IP addresses I've come across LimeWire. I remember that specifically because it seemed odd to me since I am/was aware of the name in general but I've not used it before - meaning I've not downloaded or streamed content from a network known to me as Limewire.

I have viewed streaming media and downloaded content but it's been through iTunes. I don't use Bitorrent or other peer to peer download networks for music, etc. I purchase from iTunes or import from a CD.

Interestingly this week on the iMac I've noticed much less outgoing activity/ attempt by LittleSnitch. Where the past couple of weeks it seemed I was constantly being asked to approve a new connection, not so much in the past couple of days.

I made three changes on this machine for this go round of the install that I had not done before:

1. Trash the Applescripts folder from Applications and secure empty.

2. Trash the MAC OS Remote Install application from the /applications/utilities folder and secure empty.

3. Activated an account with OpenDNS.com and manually setup DNS information in my router, airport, ethernet and firewire settings. (I don't use firewire or physically connect through ethernet, but what the heck?)

That's the latest.

 

[nixgeek]

I don't remember you ever mentioning the type of encryption your using for your wireless. Also, are you using any other measures to secure your wireless? How about the password for your Airport? Are you broadcasting your SSID? What about MAC filtering?

This one is a stretch, but are you sure you're connecting to your Airport and not some rogue access point imitating yours (quite possible with something like Evil Twin)? Do you experience the same problems when you reinstall and only use the ethernet as opposed to the wireless?

Something to test out, just in case...

 

[nixgeek]

Don't know if either HelloMac or NewMacUser-TX is still checking this thread, but here's something I just stumbled upon today:

http://www.sans.edu/resources/securitylab/wireless_security_1.php

Might answer some questions as to where the problems came from.

 

[HelloMac]

I'm using WPA-Personal and have also used a Radius server connection. Will be attempting the Radius setup again this weekend.

So the screenshots are from earlier this week. Repartitioned and wiped the drive using DriveGenius 2. Established admin account and locked down. Did not allow connection to the internet. Created a STANDARD account. The shots you'll see were from the standard user account.

Things were different on the system this time. In the past when in a standard account then clicking on the Mac HD icon I would only see a folder called System. That folder would open to Library.

Now I can see multiple folders including sbin. At this point as a newbie to Mac I'm not even certain which view is the correct one, though as I navigated through various folder levels I found myself being reconnected with a higher level folder in a loop.

What prompted this round of wipe and reinstall? I turned on the machine and the Grab and Terminal apps were gone. GONE from the machine.

I've learned that if I turn off the iMac and leave it connected to electricity then changes may take place by the next time I turn it back on. (From shutdown, not sleep, never put it in sleep anymore). If I disconnect electricity there will be no changes.

Feedback is welcome.

 

[ElDiabloConCaca]

All of those screenshots "jive" with what I've got on my machine... nothing I see is out-of-the-ordinary.

The only thing I see that's weird is that those folders (var, etc, etc.) should not be visible in the Finder windows, unless you manually turned on something that shows invisible files in the Finder.

The "loop" behavior you're experiencing when navigating those folders is because a lot of those folders are symbolic links... meaning the folder you see (folder icons with a little arrow on them) isn't the true "home" of that folder... it's simply an "alias" link to that folder.

It also appears that you're using FileVault (your home folder in the left-hand sidebar of the Finder windows shows a gray house with a padlock on it)... any specific reason for this?

What format did you format the hard drive in (HFS+, Case-sensitive, etc.)? Also, why use DriveGenius 2 to format the drive when Disk Utility on the Mac OS X Install CD/DVD would do just fine?

I think perhaps it's time for another wipe-and-reinstall, but I'd like to provide specific procedures for doing so, and then check the results at the end of the install. That way, I can have complete control over the install process and know everything that's done along the way. Right now, we really have only your word on what exactly is being done -- for instance, I don't think it was ever mentioned that FileVault was turned on, even though it apparently is. If that's cool with you, let me know!

 

[HelloMac]

Interesting article NIXGeek -I sometimes have wondered if my bluetooth device is actually turned off. I know the little icon says it is, but since there's no hardware switch only reliance upon software, I wonder if it is truly turned off.

I've also noticed somthing new popping up in the OS boot sequence in Console. something called BTCO or similar loads now. Goolge says it's BlueTooth and wifi co-exist. That's been since 10.5.3 so perhaps it's a legit change.

I've also considered the possiblity of a rouge AP and the longer this problem goes on the more I lean towards that being a real possiblity. There are multiple ssid's in my building that are almost always on and three of them resolve to the same hardware MAC address. (used istumbler and frameseer to capture some data). Typically when I'm connected online if I use another device to scan the availalbe SSID's only two of the three are visible. Not always, but often. I've no clue how to track from that point or how to figure out if there is a direct tie-in.

But then again if it's Bluetooth, I won't be able to detect that anyway. Letting the iMac bluetooth run in scan mode to try to connect to a device usually comes up with nothing in range other my own devices if I have those devices in discover mode.

 

[HelloMac]

I'll be happy to follow a specific install plan if you'd like.

Yes FileVault is running this time. Somethimes I have it on sometimes not. This time I did. Turned it on in hopes it blocks access to files in that home folder when the machine is turned off.

Used DriveGenius because I was hoping that it would make enough changes to the HD that if something is continuing to live on the drive it would get shaken up. Disk Utility gives the same results over and over.

Formatted HFS Journaled. 1 partition for the mac HD. 1 partition for the EFI. and 1 partition that is about 97 mb that DriveGenius would let me see exists, but would not allow me to delete. I could add space to that "Free Space" parition but that's the only option that was active. Disk Utility never shows me that the EFI or "Free Space" partitions exist.

I did not install a utility or issue a command to enable Finder to see hidden files. Thus my surprise at being able to see those folders.

 

[HelloMac]

Jun 27 01:41:46 PoquitoMac SecurityAgent[77]: Login Window done
Jun 27 01:41:46 PoquitoMac com.apple.SecurityServer[18]: Succeeded authorizing right system.login.console by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
Jun 27 01:41:46 PoquitoMac loginwindow[22]: Login Window - Returned from Security Agent
Jun 27 01:41:46 PoquitoMac com.apple.SecurityServer[18]: Succeeded authorizing right system.login.done by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
Jun 27 03:04:51 exchng-129 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder[100]: Unexpected quarantine error: -5000; ignoring
Jun 27 03:17:58 exchng-129 com.apple.SecurityServer[18]: Failed to authorize right system.install.root.admin by client /System/Library/PrivateFrameworks/Install.framework/Versions/A/Resources/runner for authorization created by /System/Library/CoreServices/Installer.app.
Jun 27 03:19:24 PoquitoMac loginwindow[414]: Login Window Started Security Agent
Jun 27 03:19:25 PoquitoMac SecurityAgent[422]: Showing Login Window
Jun 27 03:20:27 PoquitoMac SecurityAgent[422]: User info context values set
Jun 27 03:20:27 PoquitoMac authorizationhost[421]: Failed to authenticate user LittleMac (tDirStatus: -14090).
Jun 27 03:20:40 PoquitoMac SecurityAgent[422]: User info context values set
Jun 27 03:20:41 PoquitoMac SecurityAgent[422]: Login Window done
Jun 27 03:20:41 PoquitoMac com.apple.SecurityServer[18]: Succeeded authorizing right system.login.console by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
Jun 27 03:20:41 PoquitoMac loginwindow[414]: Login Window - Returned from Security Agent
Jun 27 03:20:41 PoquitoMac com.apple.SecurityServer[18]: Succeeded authorizing right system.login.done by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
Jun 27 03:56:15 exchng-129 com.apple.SecurityServer[18]: Succeeded authorizing right com.apple.Safari.parental-controls by client /Applications/Safari.app for authorization created by /Applications/Safari.app.
Jun 27 03:56:17 exchng-129 com.apple.SecurityServer[18]: Succeeded authorizing right com.apple.Safari.parental-controls by client /Applications/Safari.app for authorization created by /Applications/Safari.app.
Jun 27 04:47:50 PoquitoMac shutdown[676]: halt by Leslie:
Jun 27 05:26:18 localhost com.apple.SecurityServer[18]: Entering service
Jun 27 05:26:18 localhost com.apple.SecurityServer[18]: Succeeded authorizing right config.modify.com.apple.CoreRAID.admin by client /System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer for authorization created by /System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer.

 

[HelloMac]

A Japanese wiki server is active for java?

 

[HelloMac]

Note the sharing and permissions access.

 

[Viro]

Note the sharing and permissions access.

They are exactly the same on my 2 Macs, and they are going to be exactly the same for any other Mac. Please read up and understand file permissions before being paranoid about this.

That panel show that the file was last opened on the 21st of March 2008. So ... really. What's the problem?

 

[ElDiabloConCaca]

A Japanese wiki server is active for java?

Just because there's some folder called "WikiServer" does not mean that a Java Wiki server is actually running on your machine.

There's a file called "Don't Steal Mac OS X" on your hard drive, too... does that mean that you stole Mac OS X? No.

The Japanese folder you're seeing is called a "localization." It's files and support things for when you change your system's language to Japanese. The default install of Mac OS X includes many localizations for many languages, and these localization files are located all over your hard drive and within many application packages.

Get a good book on the underpinnings of Mac OS X if you're curious about all these files. There are literally tens of thousands of files included with a Mac OS X install, and assuring you 10,000 times that each of these files is benign is going to make this thread very, very long. Perhaps a better book would be something on UNIX, since Mac OS X is UNIX. UNIX is extremely file-based -- and in most UNIX installations, many, many, many files for many, many, many different services exist on your hard drive whether you intend on using those services or not.

You can think of UNIX as very "modularized." Unlike Windows with its monolithic registry, UNIX stores application settings and configurations in separate files for different applications. Your Mac OS X installation includes things such as php (even if you never intend on writing a line of php code in your life), the Apache web server (even if you never intend on serving web pages), support for connecting to AD or OD servers (even if you never intend on actually connecting to this type of network environment)... the list goes on and on. EVERYthing is on your hard drive whether you intend on using it or not, but that does not mean that EVERYthing is active and running all the time. Just the files are there, just in case you want to... unlike Windows, which only installs and activates what you tell it to (and, of course, some things you don't) -- and when it comes time to turn on a service that wasn't installed, you're prompted to insert your original Windows CD so it can install the proper files.

Also, even though during the install process you only set yourself up as a user on the system, there are already a handful of other users on your system... "root," "wheel," "www," and "nobody" are just a few. This is how UNIX operates -- every process that's active on your system is "owned" by some user account -- maybe you, maybe one of the default users. And just because those users exist doesn't mean that they can actually log into your system. This is how UNIX works -- users and groups that own processes, each with their own set of permissions.

Wanna really blow your mind? Open up "Activity Monitor" in the /Applications/Utilities folder. Change the list for "All Processes" from the drop-down at the top. You'll see a handful of users other than yourself running processes... all perfectly normal. There's even one called "daemon." Doesn't mean you've got demons (er, "daemons") in your system, though.

It's like working on a car -- if I didn't know anything about an engine and went poking around under the hood of my car, I'd be pretty perplexed and possibly concerned... "Why is this tube here?" "Who put this clamp over there?!" "Why is that thing over there spinning, even though the car isn't moving?" "You mean explosions in the engine are supposed to happen?" "Oh, a battery... but I didn't know this was a hybrid!" In order not to freak myself out, I just shouldn't be poking under the hood without supervision or without the knowledge to tell me what's normal and what's not.

 

[Viro]

Wanna really blow your mind? Open up "Activity Monitor" in the /Applications/Utilities folder. Change the list for "All Processes" from the drop-down at the top. You'll see a handful of users other than yourself running processes... all perfectly normal. There's even one called "daemon." Doesn't mean you've got demons (er, "daemons") in your system, though.

Now he tells me. I gotta go phone up and cancel the appointment with my exorcist.

 

[VirtualTracy]

Also, even though during the install process you only set yourself up as a user on the system, there are already a handful of other users on your system... "root," "wheel," "www," and "nobody" are just a few.

When I told my family, "Nobody touch my iMac when I'm out!" I was being literal!

 

[NewMacUser-TX]

Well, I am back. I can't get my MAC boot to the install disc at all and I keep having problem with my settings staying, well, set. Today I have hundreds of "WARNING!" messages in the System Log, but I will probably be told, 'that's normal, don't sweat it and don't look at the logs and then you won't worry'. I guess the old "outta site outta mind" phrase comes into play when it comes to Macs? Screen capture of my Log is attached. Sorry if I sound like a smart ass, but nobody will address the questions as presented. If you look back I knew something was wrong because I did a 7 pass erase and reinstall yet even though I didn't install X-11 or the language packages, they were all installed. The question of "how could that happen" is ignored and I'm not sure why. I am VERY frustrated and starting to feel like the hacking issues I had with my window's machines are just going to continue even though I switched to a Mac and so I might as well get used to it

 

[nixgeek]

Well, I am back. I can't get my MAC boot to the install disc at all and I keep having problem with my settings staying, well, set. Today I have hundreds of "WARNING!" messages in the System Log, but I will probably be told, 'that's normal, don't sweat it and don't look at the logs and then you won't worry'. I guess the old "outta site outta mind" phrase comes into play when it comes to Macs? Screen capture of my Log is attached. Sorry if I sound like a smart ass, but nobody will address the questions as presented. If you look back I knew something was wrong because I did a 7 pass erase and reinstall yet even though I didn't install X-11 or the language packages, they were all installed. The question of "how could that happen" is ignored and I'm not sure why. I am VERY frustrated and starting to feel like the hacking issues I had with my window's machines are just going to continue even though I switched to a Mac and so I might as well get used to it

First of all, read the entire thread....don't just skim it. We tried as best we can to cover all that was possible. Anything that looked normal was confirmed as such by everyone that's responded. There's a difference between actually having problems and jumping at every little message that ways "Warning" on it just because you're not familiar with how Unix works. If you think it's any different in Windows, have a gander at the Event Viewer logs and see what you'll find there. That might just make your hair stand up just as it is with what you're finding in OS X's logs.

Now, on the the log you attached. As it stands, we're only seeing part of the log where it repeats the same message. We don't see where it starts happening to be able to assess how this came to pass. All that is shown is that you have a System Preferences warning. Could you possibly post some of the information prior to that message first showing up?

As for X11 being installed, did you see an icon for X11.app in your Applications folder? If not, then it's not installed. Plain and simple. To my knowledge, X11 was never installed by default until Leopard (see this link). The language packs are also installed by default to my knowledge. To prevent this from happening, you have to select to "Customize" before selecting to begin the installation of the files and then uncheck that which you do NOT want installed (I'm sure this was mentioned in previous posts as I remember reading this when going through this unnecessarily long thread). This link shows you how to do a custom installation (yes, it's about Tiger but it applied just as well to Leopard). BTW, this was EASILY found on Google just by using a few key words relating to your problem.

I hate to say it, but sometimes one must read the manual if one does not have familiarity with a particular OS. Many in this thread have even mentioned some great books that will help in the matter. As was mentioned, logs are there to inform you of what's going on. Not everything that says "Warning" means you're getting hacked. It might apply to the fact that something might not be activated/supported/whatever and it just telling you this. Or, it might be an application that is trying to do something that the operating system does not like (possibly due to a bug in the application). Whatever the case, you can't assume that every message means someone is trying to "pwn" you. You have to check the logs in context in order to properly deduce what the problem might be, whether it's just an informative message or a genuine intrusion to your system.

 

[Viro]

Well, I am back. I can't get my MAC boot to the install disc at all and I keep having problem with my settings staying, well, set. Today I have hundreds of "WARNING!" messages in the System Log, but I will probably be told, 'that's normal, don't sweat it and don't look at the logs and then you won't worry'.

Sorry to say this but that log file is a list of assertion failures (and they can be normal!). What were you running that generated those assertion failure messages?

Before you start panicking, assertion are normal if you're running a debug build or a program that for one reason or another, decided to keep those asserts in at release. We do that at my company, so that developers will get to see exactly where a problem occured. Notice, this is completely and thoroughly useless for an end user as you will have no idea what is contained at NSView.m at line 4755 and you're not expected to. It's there for developers of the app to determine what's going on in their program.

If you want something similar on Windows, download DebugViewer or view the Event Log.

There could be a lot of reasons why you're seeing those messages. What were you doing prior to seeing those messages? And what error are you getting when you cannot boot up?

 

[Viro]

And just to show you what me and nixgeek mean, here's a screenshot of my Windows log. No, my system is functioning correctly and it's not hacked nor is it going to blow up at any point in time.

You're viewing a log file that is used by system administrators and developers for tracing down problems. There's a reason why those messages are hidden away from users but are readily available to those who need such info.

 

[CuteCari]

i ran across this site while i was looking for answers and noticed the problems you are having. i have been killing windows viruses for 9 years. i switched to mac after i ran into the cd replicating virus. i couldnt figure out how it was doing it and where it could possibly be storing itself (trust me, i have a firm understanding and knowledge of removing the most insane viruses (and there of course was no one who could even conceive that this was possible). this virus was the only one i couldnt figure out and because of this, it rendered the infected computer useless.

i switched to mac because i was obsessed with figuring out this virus and it turned me into a mad scientist which prevented me from living a "normal" life.

so now i am infected with the same virus/hack issues that are being discussed here on my mac. anyone who says something is "impossible" or you are "just paranoid" is someone with a mind that cant comprehend passed what they can see and if you are familiar with viruses, you know that it is what you cant see, explain or even comprehend that is the issue. i told myself a long time ago that if your computer is making you feel crazy in any way that it is most likely the computer and not you although the line between reality and perceived reality can become blurred and create paranoia. i, from all of my years working with computers, can tell the difference between what is real and what isnt, but finding someone else that can is almost impossible which is why i feel the need to post.

if you are one of the 95% of the population which cannot comprehend the incomprehensible, there is a book called "Big Book of Apple Hacks" that will surely open your eyes and take you to the next level of understanding.

1. the cd replication is true, as i stated i have seen this in windows an uncountable amount of times. it is happening to my g4 which is not connected in any way to any network; no matter what i do, i cant get rid of it. i recently found that there is memory in the optical drive can be programed and store information although i dont know how, and in the mac hack book also tells you about memory in other places you would not even think of. this opened my eyes to an ability that i didnt know was possible. this made sense to me wether it is true, i dont know as FACT. if it is true then there must be other areas that can be programed the same way (we must keep an open mind or we will never find the answers). Please help me with this if you are aware that this is a possibility.

2. i am also experiencing the same virus/hack on my laptop, but the one on my laptop is network oriented, i did the same thing as that other guy with getting all of the new routers and all of that crap. mac store (idiots by the way) etc... even replaced my laptop and deleted my airport card through the software. but when i looked in to my computer (software) the airport card was still connected and functioning. i dont know the ins and outs of networks which is where the confusion lies for me. i have the isight issue, fake web pages, everything and feel like there is someone with me at all times. the mac hack book has taught me some and i have crammed my head full of book after giant book trying to figure all of this out. my computer has been taken over completely though im not sure that the virus i have on my laptop is the same one that is on my g4 or not, but if not, they are very similar. i suspect the remote function. i want to physically disable any entry to my laptop but dont want to void my apple care. if you know how to do this please help me with it as i will do it if i have to.

so as of now i am screwed and there is no help for this in the world of closed minds.

so i just wanted to let you guys know that you are not crazy in any way and we, as of now, are stuck in the purgatory between the 2nd plane, which is where we are now and the 3rd plane which is where we will be after figuring out this new craziness. every plane is more isolating and painful but to a "scientist" the progression is out of our control.

please help!!!!

 

[ElDiabloConCaca]

If the people here are so sure that their computers have been infected at the hardware level, then simply take the computers to the nearest Apple Store. They'll be very interested in seeing the first Mac computer to be infected at the hardware level in over 20 years.

Other than that, I'm about ready to say that the scope of the problems being discussed here is beyond our help. We don't have physical access to the computer, people are too paranoid to put their computers on a network for us to have remote access to them, and it seems that just when we're squashing or explaining one problem away, a completely new one manifests itself (or a completely new member joins the discussion to chime in with a "me too").

Take your computers to security experts who can have physical access to do diagnostics on the machine. We would be very interested in hearing about the results. Otherwise, we have no choice other than to be skeptical, since these problems are obviously WAY out of the realm of anything we've heard of before.