My iMac has been hacked via sshd. What now?
My iMac runs Mac OS X Yosimite 10.10.1
I accidentally had "Remote Login" enabled in my Mac's system preferences, so the sshd was running.
I just notified in Little Snitch's network monitor window, that it logged about 90 connections from different servers to sshd. I checked the ip addresses on http://ipinfo.io and all the logged ip addresses are located in China, Hong Kong and South Korea.
It seems to be pretty bad.
I looked around a little bit in the available network protocol of Little Snitch and found out, that the ip addresses appearing in the sshd log also appeared in the logs of several other processes, including
- sh
- DDService64d (apparently DDService64d is part of the Drobo Dashboard - I have a Drobo 5N installed in my LAN)
- launchd
all with user "root" (including the sshd logs). I thought user root was disabled by default on Mac OS X, but this might all be results of the hack...
So the question now is how to proceed?
- Of course I switched off "Remote Login" (sshd) on the machine.
- I disabled the root user with the "dsenableroot -d" terminal command
- I changed my admin password
I use a cable modem for internet connection (FritzBox 6360). UPnP is switched on (and I use this feature for several apps). There where several mappings to port 22. I removed all these.
But probably this won't be enough.
Since my computer definitely is compromised I don't really trust it anymore. What should I do now? Erase the whole thing and re-install all new? That would be a huge amount of time going down the drain.
And what's about the DDService64d access? Is my Drobo 5N also compromised? Is there a way to check this?
My TimeMachine backup is also saved on the Drobo 5N, so even if I decide to erase the computer and start all over again, how can I be sure, that it isn't compromised again by the TimeMachine backup on the Drobo?
Any advice?
Solution 1:
If you are absolutely certain that your Mac has been hacked I'd strongly recommend that you erase your hard drive, reinstall OS X and manually copy you data back from Time Machine:
- Back up your Mac.
- Restart and hold Command+R to enter OS X Recovery (http://support.apple.com/en-us/HT4718).
- Select 'Disk Utility' and reformat your hard drive (http://support.apple.com/kb/PH5849).
- Quit 'Disk Utility' and select 'Reinstall OS X'. Note that (from http://support.apple.com/en-us/HT4718):
Reinstalling OS X using Recovery requires broadband access to the Internet using a Wi-Fi or Ethernet connection. OS X is downloaded over the Internet from Apple when OS X Recovery is used for reinstallation. You must use DHCP on your Wi-Fi or Ethernet network to reinstall OS X using OS X Recovery. If you bought OS X from the Mac App Store, you may be prompted to enter the Apple ID and password you used to purchase OS X.
- When OS X is up and running, plug your external Time Machine drive, open it in Finder, open the folder named after your Mac and then the 'Latest' folder (http://www.macissues.com/2014/04/14/how-to-restore-files-from-time-machine-manually/).
- Browse to 'Applications' and copy non-Mac App Store applications back to '/Applications'. Note that some apps (for example VMware Fusion) won't work properly if copied, you must reinstall them with the installer provided by the manufacturer.
- Install Mac App Store applications from the App Store.
Browse to 'Users/[your username]' and copy Documents, Pictures, Movies, Music, and any other folder that contains important data to your new home folder.
I would refrain from copying 'Library', although that's where your settings are located. If you have iCloud Mail, Contacts, Calendars, Reminders, Safari, Notes and Keychain synchronization enabled most of your settings will rebuild themselves just fine. You may want to selectively copy application settings from 'Library/Application Support' after checking the files' contents.
- If you share your Mac with other people repeat steps 8. and 9. for their accounts.
iCloud synchronization is especially important for Keychain, and I talk from experience: I had a pretty hard time exporting and importing Keychain after installing OS X Yosemite from scratch without restoring from a Time Machine backup.
A piece of advice: It is best practice that the login account you use on a daily basis doesn't have administrative rights. You should create an administrative account instead. I usually call it admin
:
while my account is 'Standard'. The side effect is that OS X will prompt you to type admin
's password every now and then, for example to edit settings in System Preferences:
Good luck!
Solution 2:
Date 1st impact
Identify as best as you can the date of 1st attack. Because all the backup after this date are corrupted and can't be trusted. (By the way, no need to make a backup of a potentially dangerous system.)
Look at the oldest log in /var/log/system.log
showing abnormal ssh
access, i.e. from an IP you weren't at.
Damage size
Once you have identified this approximate date, estimate the perimeter of damage caused by your attaquant.
If the event occured 14 days ago, use a find
command to identify all the files your attackants modified on your system:
/usr/bin/sudo find / -mtime -15 -mtime +13 -ls
I insist on using /usr/bin/sudo
because it is possible that your sudo
within your PATH might have been replaced.
A safer method is to do all this investigation with:
- you Mac unplugged from any form of network (totally isolated),
- with a safe version of your Yosemite on an USB key or an external drive (if you don't have one, don't build it from your dangerous system, ask a colleague to make you one on a safe system).
Restore safe data
From a safe version of your Yosemite on an USB or an external drive do:
a total format of your internal disk,
a new install of Yosemite.
Restore the rest of your users data from a backup older than the date of 1st attack, in my example 15 days old.
Avoid most common weaknesses
Close any guest access.
Change all users password (I mean a real change, don't switch from password
to password1
, change for {}=øph0!
or Mißm4tcH
…).
Change them on any other system were you might have used the same passwords. Consider all of them as dangerous… since 14 days.
Keep sharing (System Preferences > Sharing
) to the minimum you really need.
Return to surface
Now you can configure your Mac to a normal network configuration and return to the surface of the Internet :).