Think I got hacked

Page 3 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
E

eikelbijter

Senior member
Aug 27, 2009
534
304
136
bigboxes said:
They are phishing with a known password. THE END
Click to expand...

Except in my case it WASN'T the end. After months of getting those generic phishing emails with a super old password of mine that I did use, but only once, and me just deleting them, three days ago I got an email from my hosting company saying one of my email accounts got hacked and they shut it down.

Sure enough, hacker got in, with a completely different password than the one he'd been threatening he had. Now, the new one wasn't particularly secure, and extensive scans of my systems have shown no infection with any malware, so he prolly dictionary attacked and got in, but this just shows an extended and dedicated attack on me. Scary times we live in...

R
 
Verndewdimus

Verndewdimus

Member
Nov 18, 2016
60
21
81
www.reverbnation.com
host deny creation in osx. doesnt work without a host allow file
sudo pico /etc/hosts.deny
Why? because if your fans are blasting and tcp dump is showing thousands of the same ip connections over the course of an hour, youre probably being attacked. what to write?
#
# hosts.deny This file describes the names of the hosts which are
# denied the use of local INET services, as decided
# by the '/usr/libexec/tcpd' server.
#
ALL: ALL:deny
185.87.
(sudo nano brings the file up to be edited)


(first 2 segments of the offending ip will block the entire range in that network)
Note: I purposefully used unix server code on some of these to force people to research
https://www.tenable.com/blog/hardening-os-x-using-the-nsa-guidelines second, is learning some terminal commands and installing powerful security programs

sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool NO

disallows hidden accounts

dscl . list /Users | grep -v "_\|nobody\|root\|daemon"

finds any hidden accounts
they can be deleted as well
https://applehelpwriter.com/2017/05/21/how-to-reveal-hidden-users/
https://www.cnet.com/news/stubborn-user-accounts-returning-when-deleted-in-os-x/

last, last login
who / whos logged on
w/ like who in verbose mode shows users and the files they are using. when doing scans in terminal each window will be a seperate login.


defaults read /Library/Preferences/com.apple.loginwindow
Login window data

tail -F /var/log/system.log
follows everything the system is doing, This is how i found the recent google zero day exploit before google did. And it was a brash assumption based on resources and google update timing.

kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' | open -ef
shows running kernel extensions
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
shows launch demons
  • sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off

  • turns remote access off at boot
sudo ifconfig en0 ether openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' swpied from linux server pages
sudo ifconfig -a for a rudimentary cut and paste
essentially an ipconfig type command that reveals local information

Here are your port informations

Well Known Ports: 0 through 1023.

Registered Ports: 1024 through 49151.

Dynamic/Private : 49152 through 65535.

chkrootkit scans a mac for rootkits and turns up timed as infected due to apples reprogramming

sudo nmap -sV -Pn --script=http-malware-host 192.168.0.x (your IP address)


sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache
DNS flush

launchctl list |grep mdworker
reveals mdns data

. You need to do insane amounts of research on these. but in the end sudo tcpdump -n -p -s is most all of what you need to know youre being hacked..
I havent added a wireshark part to my regimen yet but you should.
tcpdump (-n(resolves ip addresses/ -p takes it out of promiscuous mode/ -s forces absolute not relative ip resolution) sudo is running as root.

Then you need a mac os firewall front end, any decent one isnt a fire wall you dont need a literal fire wall you need control over the power of the unix framework behind osx.
murus, icefloor and little snitch.
icefloor is said to be good but murus is said to be better, I tried little snitch and was impressed. But the general consensus is murus is better. Little snitch does geo location, but with hackers thats useless.
Nmap is too powerful you can get in serious trouble using it the wrong way as hackers use it for brute force attacks and ddos. But Nmap can reveal massive amounts on your local network.
http://macappstore.org/?s=nmap
By far the simplest and easiest thing to do is the NSA guidelines and use Murus. Murus will cost you a few weeks reading but the stuff ive posted was an effort made in a couple years. Especially with nmap.

reset your pass words after all that
cut and paste commands for osx. Again some commands are taken from unix source to push a person to read up on it. This isnt even one one hundredth of what ive read and done in terminal. At the end of the day knowing whatt a ddos /dos/ flood attack looks like is crucial. There are good server articles on the web about that. Once you find the culprit ip in tcp dump , pretty much anything in the control sector is potentially in your hands.
 
Last edited:
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
67,342
12,099
126
www.anyf.ca
Did you ever find out how they got in? Like any exploit in postfix/dovecot etc? Wonder if I need to apply a patch manually or something. Maybe yum update is not enough?

Also realized that my fail2ban is not really doing it's job. I tested and it's not actually blocking IPs properly as it should. Someone can sit there and keep brute forcing and eventually get in. It still sends me alerts though, and I've only had a few so far and was looking at logs and they were trying to login as root which is disabled. But this got me thinking if fail2ban even does pop3 etc as well... Should probably check that.
 
Verndewdimus

Verndewdimus

Member
Nov 18, 2016
60
21
81
www.reverbnation.com
l found an exploit with nmap but the hacker deleted the data, he would also leave random non script files on my desktop, likely to freak me out, Mac is a tough nut to crack though but the last thing he did was enable remote login from system preferences, which i check pretty regularly and he some how corrupted my last murus config. Ive reset permissions in terminal again and reconfigured murus to be even more secure and am reading everything i can. I dont go a day without monitoring everything , in fact, ill spend 8 hours just doing my own security checks some days. The IP geo locations were from places like norway, turkey, and of all freaking places the pensions and labor office in warsaw poland. I think it was the recent emergence of the google update engine zero day exploit, id been watching that align with high resource use and suspec ting it months before they announced it and i think it was a piggyback on the curl command to update google. Aside from that a few shady dating sites would be where i assume they hang out , probably some porn sites too.I emailed the offices in poland and ideal hosting in turkey about them having hangers on using their servers for ddos/floods. my mac isnt doing the screaming fan cook an egg on my laptop case thing as of now but i have to keep getting at it.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
67,342
12,099
126
www.anyf.ca
Oh was this on your workstation, or on the mail server? Did you notice anyone logged in when using the w command? That's usually what I do to check, but I wonder if hackers have other ways of getting in without actually getting direct shell access. Like through arbitrary code injection etc.
 
Verndewdimus

Verndewdimus

Member
Nov 18, 2016
60
21
81
www.reverbnation.com
on my personal laptop. If hidden users are enabled you wont see the login with the right scripts, w never showed anything, but this was an eventual path from the wtf cant touch that hot azz thing to smb nvram reset to fumbling with logs and scans to finding out a base amount of how to deal with this but i suspect there was a code injection as the now missing nmap scan revealed malware. at this point i have murus in stateful monitor mode on everything, with everything detecting brute force and everything remote capable blocked. these were ddos floods, on several occasions it resulted in blocked internet, so they bypassed port security and injected a script.
 
Last edited:
Verndewdimus

Verndewdimus

Member
Nov 18, 2016
60
21
81
www.reverbnation.com
im debating on a keychain reset, but ive only read a little on it, enough to know i should do it offline. speaking of which, locking keychain access is yet another step in the chain as it forces you to login for elevated privs (im assuming) restricting keychain access is vital. im new so i dont know if its a red herring step.
 
Last edited:
Verndewdimus

Verndewdimus

Member
Nov 18, 2016
60
21
81
www.reverbnation.com
heres a quote from the murus setup manual about hackers.

What are they doing?

Before going deep into Murus configuration, we want to give you some information on how these “hackers” do to their job. Most of them simply follow a very simple and common pattern made of these steps:

1) focus on a specific service for which they have a working remote exploit
2) mass scan the Internet for hosts running such services and build a list of IP addresses
3) filter IP list selecting hosts running the specific vulnerable version of this service
4)get unauthorized root access to these host using the exploit
5) filter IP list selecting “interesting” hosts (hosts with static public IP, high bandwidth, plenty of disk space, lazy admin, the right OS, and such)
6) install a rootkit or a backdoor in order to grant an easier and more robust way to take control of hacked host over time
7) patch the vulnerable service to avoid other hackers to “steal” the hacked host.
8) steal databases or install every sort of lame software for lame activities. Hacked hosts may be used for every purpose, including being part of spam nets, bot nets and scan nets or hosting “deep web” barely legal hidden tor services. They can also be used as honeypots: hackers putting traps for other hackers with the purpose of stealing 0day tools or access to hacked shells and/or services/nets.

What are we going to do?

It is your duty to understand that running a firewall is not enough to secure a computer connected to a network. The firewall is only a part of a very complex system. Shutting down unused services, doing security updates and using good passwords, for example, are as important as correctly configuring the firewall.

Anyway the purpose of this manual is to explain how Murus and PF work, so we will focus only on this topic.

We are going to try to stop their task list at the very beginning, because we are going to block ALL connections to ALL our services. Their attempt to discover running services will simply fail, mainly for two reasons:

we are clever enough to turn off our potentially vulnerable network services, so there are no listening ports on our side. we are going to use a firewall that blocks all inbound connections, so if we forgot to (or we can’t) close a service, access to this service will be denied by the firewall.

We assume that Murus Preferences are set as default except for the logging policy. Go to Preferences - General and uncheck the “Log all blocked connections “ option.

Look at the screenshot, this is the Managed Inbound Services view. It contains 16 icons. We see 3 icons with the yellow led:

- BASIC SERVICES
- AFP
- DYNAMIC PORTS
 
Last edited:
Verndewdimus

Verndewdimus

Member
Nov 18, 2016
60
21
81
www.reverbnation.com
sudo diskutil resetUserPermissions / `id -u`
System wide permissions reset

ps -A | grep Remote
Gather remote session info




killall "Remote Desktop"
Kill remote desktop



sudo launchctl unload /System/Library/LaunchDaemons/com.apple.screensharing.plist
Kill screen sharing
Out put should be service not foundon both the above commands.


ls -la /Users
System wide users info



dscacheutil -q group

Group info



dscl . list /Groups GroupMembership
Members of groups




sudo fs_usage | grep dev
File system usage in the dev folder



sudo fs_usage -f network
File system use on the network
Both are live logs
 
jameny5

jameny5

Senior member
Aug 7, 2018
300
77
101
I got the same email. They used some Remote Administration tool to do this. The person claims in the email. The sender included some type of bitcoin blockchain to send or wire the money too. The bitcoin wallet was 34 numbers and characters long. They said after I pay the amount they would delete the data and that I could live my life in peace like before. I forwarded the email to abuse@microsoft.com. They replied that it was a "sextortion" scam campaign. They make you think someone you know may have sent it. I don't know the person in my case. I changed my password. I do not use the stolen one anymore. I responded back with some choice words and that we are investigating that wallet with Bitcoin. That S.O.B has yet to respond! He wanted $900, $1400 then $1500. He was a greedy MOFO...

Sent from my SM-T380 using Tapatalk
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom