Security breach/os x "clean install"

M

MacTex

Registered
Friend at home with two Tiger machines, desktop and laptop: Had a guy network them for her, but then against her wishes! he configured such that he could logon remotely.

1) can I simply re-install tiger and "start over" on the network settings? Or must I ensure he has no other "back doors"?

2) apparently OS x has no "clean install," like os 9 did...right? Please advise re keeping preferences, etc...


Thank you,
Tex
 
Simply change the network settings would be less hassle, probably. Look into the Sharing preferences.
 
If you want to, you can do a clean install of OSX. I just did it, and other than a keychain problem in .Mac, it wasn't bad. If I remember correctly, you have to hold down 'C' as the Mac reboots with the installation DVD in the drive. You'll get a choice between (paraphrasing) "erase, format, and start over" or "reinstall OS only".

Besides backing up files, passwords, and registration codes, you may want to unregister the computer in iTunes and ensure that you'll be able to re-register all your software. I had a few anxious moment with MS Office.

fryke's reply above seems to imply that Apple's GUI for Sharing preferences is sufficient to lock-down anything nefarious he may have done at the command line. I have to defer to fryke's greater knowledge. I just don't know.
 
Well: If that user did some really nasty things, yes. But I'm just assuming here... What are the signs that the user can login from a remote location, anyway?
 
Is there a router involved (from DLink, NetGear, LinkSys, etc.)? If he left himself a backdoor, then chances are it's in the router that feeds the network. Reinstalling the OS will do little to prevent him access if this is the case.

Usually closing such a whole is as simple as logging into the router via a web browser ( http://192.168.0.1 {or whatever the router IP is} ) and disabling remote access and remote admin of the router. Change the admin password and IP setup while you're at it, and make sure there's no Dynamic DNS updater running (which would be used to get the updated WAN IP if running a dynamic connection). If the internet connection has a static IP, call the provider and explain to them what the "tech" illegally did here. Then demand a new IP.

Your friend should also report the guy to the proper authorities (FBI). Your friend might want to do this before anything is changed, in case the authorities want to document what he did. If the guy did leave himself access without express consent, it's a felony.
 
doh! didn't even think about the crime itself--have been focused on stopping the guy.

Yes, she's seen evidence that he's "fixed" stuff from remote location. Actually, they're both young; she's an up-an-coming designer (graphic artist), and he's hoping she'll hire him. of course, now, she's creeped out...

will study each reply and return with questions, if any; and also will add this: would installing a hardware firewall (in addition to "built-in") be an advantage? ie, given the fellow has had complete access to her entire system. In other words, a layer he did not consider nor configure?

Thanks so much--great replies...

-- tex
 
Most newer routers have a firewall built-in, so depending on the setup there might already be one.

How is the network setup? [[ i.e. What type of connection (DSL, Cable), is there a router in place (what's the brand and model-#) or if not how is the connection shared between computers? ]]
 
You said: Yes, she's seen evidence that he's "fixed" stuff from remote location. Actually, they're both young; ...

Well: *What* are the signs. Or is she simply paranoid? Are we talking about 12 year olds (or why do you state that they're young...)...
 
no, she's a young professional--not a seasoned businesswoman who *would've* called the authorities, who I presume would then have documented what he did. I'm sorry: all I know is that she said she could tell that he had made changes to some settings--presumably beneficial--but the changes had to have been made remotely because he did not come back to do them. He confirmed those changes iin a phone conversation--that's when she freaked, because when he made the offer (ostensibly as a service, to be able to do maintenance/repairs etc remotely), she told him no, absolutely *not* to configure for remote access. The "young" facet is that he's too "dumb" to realize he killed any chance of getting hired as a junior designer...make sense yet?

Not saying he's done anything malicious to the system--he's badly misplayed his hand, obviously. And when he realizes her "scorn," he might cause mischief or worse. dunno...but it's not secure, at any rate.

Again, thanks for reading--I appreciate your time and interest.

-- tex
 
mdnky said:
Most newer routers have a firewall built-in, so depending on the setup there might already be one.

How is the network setup? [[ i.e. What type of connection (DSL, Cable), is there a router in place (what's the brand and model-#) or if not how is the connection shared between computers? ]]
Click to expand...
sbc modem: twisted pair in, built-in wireless...it's whatever's shipping these days from SBC*Yahoo DSL...

thanks
 
Then I _really_ think it's time to simply look at the "Sharing" system preferences and turn off anything that has to do with remote access, basically. If he's not really a hacker and just wanted to enable remote access so he can further support the computer, I don't think it's really malicious, and I wouldn't think about a back door, really... Just close the front doors now.
 
makes sense...and then just monitor activity via the built-in firewall, perhaps?

again, thanks ....

-- tex
 
I don't really think it's necessary to monitor the activity. I'd change her user password to something only _she_ knows, make sure that the Users system preferences only has _one_ active user (her as an administrator user) and that should be it.
 
OK...

Appreciate it...very much.

Oh, wait--this has been lurking in the back of my mind but did not state it: I assume he has set himself up as Administrator with his own password .... can we change that without a new install?

Sorry if that wasn't clear/assumed...

--tex
 
Check Netinfo to see if root is enabled - if it is, disable it.

If her account is an admin level account, she can delete his account
if he created an admin account for himself.

Unless remote access is enabled in the sharing preference pane of system preferences, no one should be able to log in remotely.
 
You must log in or register to reply here.
Back
Top