Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Don't trust this on hacked machines...' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Don't trust this on hacked machines...
Authored by: dbs on Apr 26, '07 08:55:54AM

This is a great tool in general, but be very careful of trusting this on a hacked machine.

A common technique of hackers is to replace programs like lsof, ps, top, etc., with hacked versions which explicitly don't show any of their trojan processes. So if your machine has been hacked by all means use this to look around and see what happened, but don't trust it to indicate your machine has been cleaned.

The only decently reliably way to clean up from a hack is to re-install the OS from scratch and then copy data over from a backup. (If you restore the OS from a backup you don't have any way of knowing whether the backup was made before or after the hack for the same reasons mentioned above.)



[ Reply to This | # ]
Don't trust this on hacked machines...
Authored by: lar3ry on Apr 26, '07 10:52:19AM
That's all well and good, but that's incomplete advice.

If the user wants to find out what processes are listening on TCP/IP ports, the lsof program will work, albeit with your caveat that the program may be hacked.

Other things that could be done to simply check for listeners which are not as drastic as a complete system reinstall would be:

  • attempt to locate a program like lsof on the OS X install disk, if possible, by exploring the base install packages
  • transfer the image from another OS X system that you know for sure isn't compromised
  • Find the sources to the utility and compile it yourself
Once you have a "known good" copy, you can run it to check out if anything is awry.

Oh... and backup, backup, backup! If you have a smart backup script with incrementals running daily, you might be able to see how and where your system may have been internally compromised (recent edits to files in /usr/bin are a good clue!)

[ Reply to This | # ]

Don't trust this on hacked machines...
Authored by: kholburn on Apr 27, '07 10:36:15AM

That wouldn't work if the hacker has compromised libraries. You would need a statically linked binary.

What hackers might not do is replace "Activity Monitor" because unix hackers don't expect apple gui tools.

None-the-less if you have been hacked you need to reinstall the OS. There is no real way around this.

Also turn on your firewall and you might consider "Little Snitch".



[ Reply to This | # ]