Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Don't trust this on hacked machines...' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Don't trust this on hacked machines...
Authored by: lar3ry on Apr 26, '07 10:52:19AM
That's all well and good, but that's incomplete advice.

If the user wants to find out what processes are listening on TCP/IP ports, the lsof program will work, albeit with your caveat that the program may be hacked.

Other things that could be done to simply check for listeners which are not as drastic as a complete system reinstall would be:

  • attempt to locate a program like lsof on the OS X install disk, if possible, by exploring the base install packages
  • transfer the image from another OS X system that you know for sure isn't compromised
  • Find the sources to the utility and compile it yourself
Once you have a "known good" copy, you can run it to check out if anything is awry.

Oh... and backup, backup, backup! If you have a smart backup script with incrementals running daily, you might be able to see how and where your system may have been internally compromised (recent edits to files in /usr/bin are a good clue!)

[ Reply to This | # ]

Don't trust this on hacked machines...
Authored by: kholburn on Apr 27, '07 10:36:15AM

That wouldn't work if the hacker has compromised libraries. You would need a statically linked binary.

What hackers might not do is replace "Activity Monitor" because unix hackers don't expect apple gui tools.

None-the-less if you have been hacked you need to reinstall the OS. There is no real way around this.

Also turn on your firewall and you might consider "Little Snitch".



[ Reply to This | # ]