An advanced script/web solution to track stolen Macs
Aug 28, '08 07:30:01AM
Contributed by: engelby
I worked in a school district for a few years where we had two break-ins that included thefts of Mac laptops. So I decided to create something that would help track laptops in the event they were stolen. This is of course free, one of its major advantages. It is also hosted by yourself, so it is easy to control. This has run on about 1,500 computers without causing any type of overload on machines or the network, and it does exactly what it is suppose to do. I now use it on all home and family computers because I trust it so well. I have used it for about a half a year and it works on Tiger and Leopard.
Note that this is software, so if the thief erases the hard drive on the computer, this will remove the phoning home capabilities. This does take some tinkering around, so it's fairly advanced. But the end result is very rewarding. This hint is broken up into the following sections -- be sure not to skip anything:
- What this essentially will do
- Little bits of info about the script
- What this assumes
- Four files you need
- Creating /etc/.cuploader
- Creating phone.sh
- Creating com.engelby.phone.plist
- Installing extra files
- Server setup
- What to do when stolen or you want to test
- How to know the script is running
- Other ideas
- Conclusion
Read of for the details on each section...
What this essentially will do:
- The Mac will report in to a server (to see if it is stolen) every six minutes.
- It will run in the background without the user ever knowing. It is a LaunchDaemon -- which means it will work even if no user is logged into the computer (ie it's stuck at the login window).
- If it is stolen, it will send information from the machine back to you through FTP (phase 1).
- If wanted, it will take a picture using the built-in iSight camera (phase 2).
- If wanted, it will move the Finder.app and Dock.app to a different location, which is easy to put back into place, and then change the background picture to an error message saying the Finder is corrupt and to return the computer to an Apple store for a free fix (phase 3).
Little bits of info about the script:
This script is called up by a launch daemon every six minutes. If the Mac is on the Internet, it will attempt to contact your webserver. If your server is up, it will look for a webpage that is named by your computer's MAC address.html. If this page exists, and has a secret word as the text on the page, it will start performing some actions. If the page does not exist, you will still be able to see on the webserver that every six minutes, a computer with a certain MAC address tried to make contact.
Because we hope computers are not stolen, and because this is made to work with one or thousands of computers, the error page has been completely cleared and is instead just the text "404." That's three bytes of information every time a computer connects and is not stolen. This is what makes it so scalable, even if you are talking about a huge environment. By looking in your /Library » Logs folder, you will be able to see a file that tells you if the computer reported itself as stolen or not. By looking at the date modified of that file, you can see the last time it ran.
What this assumes:
- You have a server that can host Web and FTP.
- You have downloaded and installed iSightCapture for phase 2.
- You have downloaded this phase 3 picture.
Four files you need:
- phone.sh -- installed in /etc/.cuploader (see next section on making .cuploader folder).
- com.engelby.phone.plist -- installed in /Library/LaunchDaemons.
- iSightCapture -- installed in /usr/bin/
- AuroraFinderCoppurt_1.jpg -- installed in /etc/.cuploader/
Creating /etc/.cuploader:
Open Terminal, and type in sudo mkdir /etc/.cuploader/ and authenticate as root when asked for your password. This will create an invisible folder. To get to the folder to install files, while in the Finder, press Shift-Command-G, and type in /etc/.cuploader/ and press Return.
Creating phone.sh:
Use TextWrangler (or your other favorite text editor) and save the file into /etc/.cuploader. Do not change any part of the script except for below Set this setting!, where you'll change 255.255.255.255 to the IP address of your server.
#!/bin/sh
# Created by James Engelby
# If you like what you get out of this...
# Consider a Donation to James Engelby!
# Visit www.jamesengelby.com
# If you use this code, leave these comments in the script!
#Set this setting!
serveripaddress="255.255.255.255"
#No need to do anything else here
macaddress=`(/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }')`
webaddress="http://"$serveripaddress"/"$macaddress".html"
site=`(curl -s $webaddress)`
if [ "$site" == "true" ]; then
touch /Library/Logs/YES
externalip=`(curl -s http://checkip.dyndns.org | awk '{print $6}' | awk ' BEGIN { FS = "<" } { print $1 } ')`
computername=`(/usr/sbin/system_profiler -detailLevel -3 | grep "Computer Name" | awk '{gsub (" Computer Name: ", ""); print}')`
serialnumber=`(/usr/sbin/system_profiler -detailLevel -3 | grep "Serial Number" | awk '{print $3}')`
thedate=`(date)`
safedate=`(date | awk ' { gsub(":", "") gsub(" ","");print }')`
lastusers=`(last | tail -n 15)`
whoisit=`(whoami)`
echo "IP: $externalip Date: $thedate ComputerName: $computername Serial: $serialnumber BuiltInEthernet: $macaddress WhoIsLoggedIn: $whoisit Users: $lastusers" >> "/Library/"$externalip$safedate".txt"
curl -s -T "/Library/"$externalip$safedate".txt" -u steal:this -o --url "ftp://"$serveripaddress"/"
/usr/sbin/screencapture -x -m "/Library/Preferences/screengrab"$safedate".png"
curl -s -T "/Library/Preferences/screengrab"$safedate".png" -u steal:this -o --url "ftp://"$serveripaddress"/"
rm "/Library/Preferences/screengrab"$safedate".png"
rm "/Library/"$externalip$safedate".txt"
# Starting Nested IF for Phase 2
webaddress2="http://"$serveripaddress"/"$macaddress"2.html"
site2=`(curl -s $webaddress2)`
if [ "$site2" == "true" ]; then
sudo /usr/bin/isightcapture "/Library/ColorSync/picture"$safedate".png"
touch /Library/Logs/YES2
curl -s -T "/Library/ColorSync/picture"$safedate".png" -u steal:this -o --url ftp://$serveripaddress/
else
touch /Library/Logs/No2
fi;
# Starting Nested IF for Phase 3
webaddress3="http://"$serveripaddress"/"$macaddress"3.html"
site3=`(curl -s $webaddress3)`
if [ "$site3" == "thisoneisdanger" ]; then
haveirebooted=`(cat /Library/Logs/rebootphone3)`
if [ "$haveirebooted" == "YESIHAVE" ]; then
exit 0
else
touch /\ \ \ \ This\ Computer\ Has\ Been\ Stolen
touch /\ \ \ Please\ Contact\ Police
touch /\ This\ Computer\ Has\ Been\ Stolen
sudo mv /System/Library/CoreServices/Finder.app /System/Library/
sudo mv /System/Library/CoreServices/Dock.app /System/Library/
touch /Library/Logs/rebootphone3 | echo YESIHAVE >> /Library/Logs/rebootphone3
sudo mv /etc/.cuploader/AuroraFinderCorrupt.jpg /Library/Desktop\ Pictures/Nature/Aurora.jpg
sudo reboot
fi;
else
touch /Library/Logs/No3
fi;
exit 0
else
touch /Library/Logs/NO
exit 0
fi;
exit 0
Creating com.engelby.phone.plist:
Use TextWrangler (or your favorite text editor) and save the file into /Library/LaunchDaemons. Do not change any part of the script.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.engelby.phone</string>
<key>OnDemand</key>
<true/>
<key>StartInterval</key>
<integer>360</integer>
<key>ProgramArguments</key>
<array>
<string>/private/etc/.cuploader/phone.sh</string>
</array>
</dict>
</plist>
Installing extra files:
Download iSightCapture and install it. Make sure it's installed in /usr/bin/isightcapture.
Download the phase 3 background picture and save it to /etc/.cuploader.
Server setup:
Set up web sharing and FTP access on your server -- it is ok if you have a main website hosted alongside this script. Find your error web page (the setting for where it is located is in the Server Admin) and you will have to edit this page. Open the page in TextWrangler, delete all of the contents of the page, and then type 404 and save the page. Set up a local account on the computer with the username steal and the password this -- this is used for FTP access.
Congratulations, you're done with the setup!
What to do when stolen or you want to test:
For Phase 1, which is to upload a text file containing the MAC address, serial number, who is logged into the computer, who has logged into the computer, IP address and more:
- Open the root of your webserver (On your server, it is most likely /Library/WebServer/Documents).
- Create a new text document in TextWrangler with only the text true, and then save it as the MAC address of your computer with the file extension of .html. Example: aabbccddeeff.html
- Save the document in the root of your webserver.
For Phase 2, which includes all of phase 1 but also takes a picture through the built-in isight camera:
- Completed steps for Phase 1.
- Duplicate the MACADDRESS.html file created from phase 1.
- Rename the file to include the number 2 at the end of the MAC address. So an example is aabbccddeeff2.html
For Phase 3, which moves the Finder.app and the Dock.app and replaces the background picture:
- Complete steps from phase 1.
- Complete steps from phase 2 if you want a picture to be uploaded -- this isn't required!
- Duplicate the file from phase 1.
- Rename the file to be the MAC address with a 3 at the end of the name, so an example is aabbccddeeff3.html
- Open the document in TextWrangler.
- Erase the text in the document and type in thisoneisdanger and save the file.
How to know the script is running:
Open the folder /Library/Logs/. Check for a file that is named either YES or NO (YES being that a machine is stolen, and NO saying that a machine is not stolen).
Other things that may need to be done before this works:
- Open terminal and enter command su root and type in the root password.
- In terminal, type chmod 755 /etc/.cuploader/phone.sh.
- In Terminal, type chmod +x /etc/.cuploader/phone.sh.
- Restart your computer, or in Terminal, type launchctl load /Library/LaunchDaemons/com.engelby.phone.plist
Other ideas:
I created a package to contain the four files. I would suggest creating a package of the files once you have it running, and if you want, have it run the post install script with this command: launchctl load /Library/LaunchDaemons/com.engelby.phone.plist so they don't even need to reboot before it starts working. You can then give the package out to your family so you can track their Macs if they ever need it. Another thought is to have the MACADDRESS.html files already created on your webserver (with the text of true and thisoneisdanger) but without the proper file naming scheme. Have the file be named mac.html and then change it to your IP address once it is stolen.
Conclusion:
Let me know if you have problems or questions. It took a while to make this, but I am proud of it and it works great. Even if you don't mark things as stolen right away, your webserver will always get the page hit from the external IP of whoever did steal it and will have it in the webserver log file. It's another way for you to see that it is working on a computer because you will see a bunch of errors from computers looking for their MAC address.html pages.
[robg adds: I haven't tested this one...]
Comments (42)
Mac OS X Hints
http://hints.macworld.com/article.php?story=20080824185920426