Firewall problems on Mac OS X

Hi there

Some help is required I fear! I set up broadband with Virgin.net around September last year (using a Speedtouch USB modem) and when I did this, I set the firewall in the system prefs to on.

I have recently been the victim of identity theft however as my cc details were used for someone to start a new eBay account. I have since had to freeze my bank, eBay and PayPal accounts whilst the investigations are on going. Not good new I hear you say?!!

So, whilst I've been racking my brains to work out how the hell this catastrophic error could have occurred, I accidentally clicked the sharing tab in system prefs this morning and to my absolute horror, the firewall was off!!

Questions:

a: Could this mean that someone is remotely accessing my machine?

b: Now that I've switched it back on does that mean that if someone had access that they now don't anymore?

c: How did the firewall manage to switch itself off in the first place!!

Any assistance in greatly appreciated ;-)

a: Could this mean that someone is remotely accessing my machine?
If all of the accounts that have been hit are detailed somewhere on your computer then possibly. If it's just your credit card then there are hundreds of other ways to obtain the details without getting into your computer.

b: Now that I've switched it back on does that mean that if someone had access that they now don't anymore?
If your machine has been compromised then assume it will still be compromised. You can trust none of the applications on your machine - they may have been replaced with doctored versions that bypass your firewall.

c: How did the firewall manage to switch itself off in the first place!!
It was turned off by a user with admin access. I see that you started a thread previously concerning problems you had with connecting to the internet. Did you turn off the firewall to troubleshoot, and not turn it back on?

..If your machine has been compromised then assume it will still be compromised. You can trust none of the applications on your machine - they may have been replaced with doctored versions that bypass your firewall...
And if this is that case, that you have been compromised, the only sure way to make sure it's not would be to "Erase and Install" you OS.

Correct me if I'm wrong.

But as was already stated, there are many, many ways for your Credit Card info to be stolen, and not with compromising your computer.

OK thanks for the advice guys. I am still waiting to hear from eBay regarding the extent of the damage but I think I'm gonna just have to bite the bullet and do a clean install on my HDD to be on the safe side.

What about my iTunes and iPhoto libraries? Will it be safe to back that up and copy it across again once I've reinstalled everything else?

It may sound paranoid but I just put two and two together as my cc details were stolen and not having the firewall installed. And to answer the question asked no, it appears that none of my other accouns (bank or otherwise) are affected at all.

Thanks for your help and any other advise / assistance is greatly appreciated.

Cheers ;-)

Recommend reconnaissance work first.

I suspect, like in an earlier post, you disabled the firewall during troubleshooting and don't remember. It happens all the time.

What's in your logs?

Not too sure where to look for the answer to that question!! Do you mean the logs of sites I've visited or when I've connected? Or something else!!

Sorry!! Please advise ;-)

i think it is unlikely that you were hacked. Because you are using a speedtouch modem you sort of dial up to your adsl service using connect in menu bar or internet connect. Because of this your IP address is changing.

I think it is more likely that your CC got cloned and someone has setup an ebay account. Or you got hit by a "phishing" email and you replyed.

Not having a firewall ON is none too clever and yes for total piece of mind you could erase and install. Just do a full backup of your files.

Not too sure where to look for the answer to that question!! Do you mean the logs of sites I've visited or when I've connected? Or something else!!...

I belive what Mikey-San is asking you to do is check your firewall logs to see if you may have turned it off yourself or not.
I'm not sure if these logs are enabled by default, but in either way you would find access to them here:
System Preferences-->Sharing-->Firewall Tab-->Advaned Button

The fact that your IP changes frequently has very little effect on the security of your setup. Every public IP address is going to be continually probed for vulnerabilities to exploit. I recommend the use of an inexpensive router (which acts like a hardware firewall) for anybody with a high speed Internet connection.

To protect your credit card number, don't store it on your computer, don't send it in e-mail, and only enter it in web page forms which are protected with SSL. Use strong passwords, and use different passwords for different purposes.

i think it is unlikely that you were hacked.

I think it is more likely that your CC got cloned and someone has setup an ebay account. Or you got hit by a "phishing" email and you replyed.

Not having a firewall ON is none too clever and yes for total piece of mind you could erase and install. Just do a full backup of your files.

The phishing could include the ebay notice itself.

Uh...yeah....I've had a credit card # stolen before and it had nothing to do with my computer buried behind god knows how many comcast routers and the like.....It was a lost credit card...but it could have just been as likely to be a restaurant receipt.

It is SO highly unlikely your mac got hacked. The hackers out there doing this sort of crap are going to be doing it on windows machines....just due to the number of holes available and the SHEER NUMBER of windows machines out there. For a mac...hmmm.....not a lot of unix phishing going on....

Just turn your firewall back on and relax.

Thought this thread might be interested in this.
http://news.com.com/2100-1029_3-6051261.html?part=rss&tag=6051261&subj=news

I meant /any/ relevant logs.

/var/log/*.log is a good place to start.

BTW, to help prevent phishing, try using Firefox with Google's free Safe Browsing extension. I've been using for for a while now, and it only warned me once, but i guess it was worth it.

http://www.google.com/tools/firefox/safebrowsing/index.html

EDIT: Corrected URL

The phishing could include the ebay notice itself.

I did receive the notice from eBay that my card details had been used to open a new account in the "My eBay" section once I logged on to eBay as well as it being emailed to me so I believe this to be genuine. Also, all my current buying and selling activity has been erased from my eBay account and is irretrievable which maybe my actual eBay acount has been hijacked...

Thanks for all your help people.. keep your ideas/solutions/similar stories coming cos they all help me paint a clear picture of how hackable a Mac really is which is good. I know we're a lot safer than our Windows based "friends"!!

Uh...yeah....I've had a credit card # stolen before and it had nothing to do with my computer buried behind god knows how many comcast routers and the like.....It was a lost credit card...but it could have just been as likely to be a restaurant receipt.

I had thought this also... anywhere you shop has access to your card details and therefore any employee in that shop / establishment... it only takes one disgruntled employee on minimum wage to get a bit light fingered on the old till receipts and before you know it, you're a victim of card number theft... I agree that something like this is a more likely scenario than my Mac having been hacked but I guess you would be cautious too if you then discovered your firewall had been off for the best part of 7 months!! Cheers ;-)

Not having a firewall ON is none too clever and yes for total piece of mind you could erase and install. Just do a full backup of your files.
Does that mean that I could save all my mp3's / iPhoto library etc and safely transfer these back over to my re-installed machine without any risk? I take it files like this don't get affected if your Mac had been hacked?

While the files likely wouldn't be in danger the Music or Photos Folder could contain the hackers files. One small hacker file hidden in thousands of songs or pictures. So I wouldn't just copy the Folder over without looking to make sure it only conatins the correct information.

That said, yes, you should be able to save all your info and then restore it after an "erase & install".

You may want to run a scan for Spyware on your Mac.
I the only one I know of is MacScan (http://macscan.securemac.com/)

BUELLER.

So we're jumping straight to discussing reformatting, then? Not interested in reviewing any actual data? SOUNDS HELPFUL.

Occam's Razor tells me that the math in this thread is way off. I have seen no evidence at all so far that qualitatively suggests he didn't toggle his firewall X months or weeks ago and forgot. I see it happen all the time, and I even do it myself.

Let's assume he was compromised for a moment, even though we don't have any actual data that suggests such a scenario. Reformatting is STILL A BAD MOVE at this point. We should still be gathering data, in the unfortunate scenario that this is not an isolated incident.

Paypal has a history of problems. I don't trust it at all, and would suspect a problem on their end before an issue with a Mac OS X box (not to sound too arrogant regarding OS X security). Honestly, how can you trust a financial institution that acts like a bank but is set up so it doesn't get regulated like one?

Slow down, gather more data, eat your Wheaties. Open up Console.app and read every single log you have. Look for anything remotely suspicious. If you see something you think is interesting or aren't sure about, post it here for us.

Run this Terminal command[1] and relay its output to the thread:

/bin/ls -la /Users /Users/Shared

Run this Terminal command[1] and relay its output to the thread:

/bin/ls -la /Users /Users/Shared

Here's what was in there... still reading through the Console log... Lisa is my partner who has a log-in on the mac and the one called test is me too btw... Anything suspicious here?

total 16
drwxrwxr-t 8 root admin 272 Sep 23 20:23 .
drwxrwxr-t 71 root admin 2516 Mar 19 07:59 ..
-rw-rw-r-- 1 Greg admin 6148 Dec 6 21:21 .DS_Store
-rw-r--r-- 1 root wheel 0 Mar 20 2005 .localized
drwxr-xr-x 16 Greg Greg 544 Mar 19 08:01 Greg
drwxr-xr-x 12 Lisa Lisa 408 Mar 17 14:49 Lisa
drwxrwxrwt 9 root wheel 306 Dec 6 21:13 Shared
drwxr-xr-x 12 test test 408 Sep 23 20:26 test

/Users/Shared:
total 960
drwxrwxrwt 9 root wheel 306 Dec 6 21:13 .
drwxrwxr-t 8 root admin 272 Sep 23 20:23 ..
-rw-rw-rw- 1 Greg wheel 6148 Dec 6 21:21 .DS_Store
-rw-r--r-- 1 root wheel 0 Mar 20 2005 .localized
drwxr-xr-x 4 Greg wheel 136 Sep 15 2005 Acquisition.app
drwxrwxrwx 7 root wheel 238 Aug 1 2005 Adobe PDF 6.0
-rw-r--r-- 1 Greg Greg 479720 Dec 5 19:17 DSCF0074.JPG
drwxr-xr-x 23 Greg wheel 782 Aug 25 2005 Music
drwxrwxrwx 3 Greg wheel 102 Aug 1 2005 SC Info

Nah, nothing seems weird about that. Keep us informed regarding your log files.

I did find this which I thought was strange in the Console bit... it was from Wednesday last week (although the date had changed to 01 Jan... this is because I need a new internal battery and happens from time to time):

See the bit about Regents University of California??? Never heard of them, never visited their site... what's that all about??

Jan 1 01:00:26 localhost kernel[0]: standard timeslicing quantum is 10000 us
Jan 1 01:00:26 localhost mDNSResponder-107.4 (Nov 15 2005 21: 34:38)[38]: starting
Jan 1 01:00:26 localhost kernel[0]: vm_page_bootstrap: 61690 free pages
Jan 1 01:00:26 localhost kernel[0]: mig_table_max_displ = 70
Jan 1 01:00:26 localhost DirectoryService[36]: Launched version 2.1 (v352.1)
Jan 1 01:00:26 localhost kernel[0]: 63 prelinked modules
Jan 1 01:00:26 localhost kernel[0]: Copyright (c) 1982, 1986, 1989, 1991, 1993
Jan 1 01:00:26 localhost kernel[0]: The Regents of the University of California. All rights reserved.
Jan 1 01:00:26 localhost kernel[0]: using 655 buffer headers and 655 cluster IO buffer headers
Jan 1 01:00:26 localhost kernel[0]: WARNING: ATA Drive claims FLUSH CACHE EXT feature support but does not claim Extended LBA feature support
Jan 1 01:00:26 localhost kernel[0]: FireWire (OHCI) TI ID 8019 built-in now active, GUID 000a27ff fe92d9f8; max speed s400.
Jan 1 01:00:26 localhost kernel[0]: ApplePMU::CLOCK RESET! PMU WAS PROBABLY RESET SOMEHOW!!

Heh. That's where the BSD-Lite kernel was developed, UC Berkeley. It's a standard kernel message.

http://en.wikipedia.org/wiki/FreeBSD

No worries there. See anything else funny? Feel free to post anything that looks suspicious.

Am i to understand you gents believe one's firewall should always be on?

Yes, %99 of the time. Even if it wasn't, wouldn't it take some time to hack in to someone's computer?

Yes, %99 of the time. Even if it wasn't, wouldn't it take some time to hack in to someone's computer?


Yeah, especially as nobody has had this happen on their mac, except for that guy who let people have accounts on his computer a couple of weeks ago and then announced how this shows how OS X is hackable (what a moron)

I can't believe this posting is still going on. Dude. Relax. Your firewall was down. Turn it back on. Unless somehow you are at the forefront of Mac hacking.....your computer is fine. Stop panicing about a nonevent.

Nothing that has happened to you even remotely requires your computer. ID theft has almost never ever required one...and there have been no known attacks on OS X to try this.

Yeah, especially as nobody has had this happen on their mac, except for that guy who let people have accounts on his computer a couple of weeks ago and then announced how this shows how OS X is hackable (what a moron)

I can't believe this posting is still going on. Dude. Relax. Your firewall was down. Turn it back on. Unless somehow you are at the forefront of Mac hacking.....your computer is fine. Stop panicing about a nonevent.

Nothing that has happened to you even remotely requires your computer. ID theft has almost never ever required one...and there have been no known attacks on OS X to try this.

I'm not as patient as many of the people here, especially the mods, so forgive me when I say thanks for not reading the entire thread.

I've gotten him to stop preparing for a reinstall and just look at his logs, and you're going to jump in and crap up the thread with a bunch of "no Mac has ever been cracked" nonsense? Lurk a little more first before doing this, please.

As I said earlier--again, thanks for reading--he's probably just disabled the firewall and forgotten. It happens. To be safe, he's checking out his logs. Something wrong with this?

I had him list the contents of /Users and /Users/Shared because of Opener:

http://www.google.com/search?q=mac%20os%20x%20opener

People have been compromised running OS X before. It's not the end-all-be-all of computer security. Arrogance is the single largest security threat, computer or otherwise, so can we dispense with it?

The More You Know(tm)

Yeah, fairly confident that the reason the firewall was off was because I did this manually and forgot at some point so am just being cautious seeing as I have just had my card details stolen and used to open an eBay account which had nothing to do with me... with all due respect nukular, sure you too would be suspicious too if it happened to you and would want to check all avenues first opposed to just presuming everything was fine, but thanks for your take on things anyway... it's all appreciated ;-)

Still looking through the log... man, there's a lot in there to go through!! Will post anything else suspicious though, cheers Mikey ;-)

Just ran a couple of scripts up, which will tell me if My Built in Firewall is off or on.

Firstly I am sure they can be improved upon. I am not that great at shell so...

To make this work you need to know how to call a script in cron or launchd I use a GUI app like Lingon (http://lingon.sourceforge.net/) to do my launchd's

You also need to have firewall logging switched on.
This can be found under the advanced button in the firewall tab, sharing Prefpane.

When logging is on a process called 'ipfwloggerd' is running.
This is used to tell me if the FW is running.
If the FW is not running then nor will this Process be.

The first script is a applescript application.

1, It must be named 'ipfw_check.app' and be in your applications folder.
2, It Must be compiled as a application and saved to 'stay open'


on idle
set myname to "ipfw_check.app" -- name you MUST give this app.
try
set the_checking to do shell script "ps -axc | grep -c ipfwloggerd"
on error
set the_checking to 0
end try
if the_checking is equal to 0 then

tell application "Finder"
activate

display dialog "Your FireWall Appears to be TURNED OFF " & return & "Or you have not turned on Loggin" & return buttons {"Open Firewall Pane", "Remind me in 5mins"} default button 1
if the button returned of the result is "Open Firewall Pane" then

my _change(myname)

else
return 300
end if
end tell
else
do shell script "killall " & quoted form of myname
end if
end idle

on _change(myname)


tell application "System Preferences"
activate

set current pane to pane "com.apple.preferences.sharing"
delay 1
reveal (first anchor of current pane whose name is "Firewall")
do shell script "killall " & quoted form of myname
--I could have used quit me but for som reason it would wait a while befor quiting.
end tell

end _change

The second script is a bash script.

#!/bin/bash
VAR1="$(ps -axc | grep -c ipfwloggerd)"
VAR2="$(ps -axc | grep -c ipfw_check.app)"
VAR3="0"
if [ $VAR1 -lt 1 ]
then
if [ $VAR2 -lt 1 ];
then
open /Applications/ipfw_check.app
fi
fi

You need to save it some where and chmod it so it is exacutable
chmod +x path/to/the_bash_script_

Now add it to you launchd items.

As I use Lingon I will go through that.
1, Open Lingon.
2, Hit the 'NEW' button and select 'Users Agent'.
Under the 'Basic' Tab

3, set the Label to 'fw_check' or a name you want.
4, In ProgramArguments : hit the '+' button , Click into the top line and put in the path to the bash script.

e.g
/Users/usernam/SS/fw_check
5, tick 'RunAtload'
6,under the 'Miscellaneous' tab.
put 120 into the 'StartInterval'

7, Hit the 'Save & Load' button.

(note: I did this in Lingon v1. I have just noticed that its at v1.1.1 with many improvements and ways of adding to it. But you get the idea...)

Now the Bash script will check every 120 second. if you forget you have turned off the FW it will launch the applescript.

The applescript will display a Dialogue telling you, Your FW is off, or
you have turned off Logging. It will offer you two options.

Open the Sharing Pref pane. or Remind you in five minutes.

if you choose to be reminded in Five minutes.
Then it will.
But if in between does five minutes you enable the Fire wall or turn logging back on, it will just quit when the 5mins are up.

If have choose to open the pref pane.
The applescript will do so and then quit.
If you the decide not to enable the FW or logging.
The bash script will pick that up on its next check.

Yeah, fairly confident that the reason the firewall was off was because I did this manually and forgot at some point so am just being cautious seeing as I have just had my card details stolen and used to open an eBay account which had nothing to do with me... with all due respect nukular, sure you too would be suspicious too if it happened to you and would want to check all avenues first opposed to just presuming everything was fine, but thanks for your take on things anyway... it's all appreciated ;-)

Still looking through the log... man, there's a lot in there to go through!! Will post anything else suspicious though, cheers Mikey ;-)

Sorry, but I do disagree. Panic and searching through thousands of log entries is unnecessary. Just monitor all financial transactions to see if anything continues. Its just TOO easy to steal financial info without every needing to break into anybody's computer. And an ebay account is simply the modern version of catalog ordering, which is what happened to me about 5 years ago when my card was stolen....the first time (the last time was about 6 months ago when the damn card fell out of my pocket and I only discovered it when I had $120 charged at an asian grocery, and two $10 charges at a gas station...all easily reversed)

I'm NOT being arrogant about a Mac's security (hell I just switched back from windows in November after 5 years), but when nobody reports a real hacking of mac computers...I truly doubt any single post where nothing described is a smoking gun. More than one, I'll think differently.

I feel for the ID theft, but I stick by not needing to go through countless log entries.

But if you want to be paranoid then this is a good place I 'spose to make sure you are doing it right :) I do wish you luck and I'm sure it will all work out fine.

Hey... I'm fairly confident that my details were not stolen via my machine itself now seeing as they were never actually stored on there in the first place. I reckon someone has gained access to my eBay account somehow as the only card details stolen are the ones linked to my seller account and seeing as all the info in My eBay has disappeared and is doing weird things too.

I've cancelled that ATM card now and the bank have already sent out a new one with new card number so I think I'm just gonna reactivate my bank account and try my luck because if I wait any longer for confirmation from the a-hole's at eBay I'll be old and gray!! Nothing is urgent with those guys!! Their customer service is pathetic! I reported all this on Thursday and still nothing... oh, apart from ironically an invoice from them today!! Thanks!!

I've checked theough the logs and everything appears to be in order so thank you everyone for your advice / take on things and stories of ID theft in general. Thanks also to Mark for the FW reminder scripts :)

Reading logs hurts no one. At the VERY least, it's calmed his nerves and he's realized that he doesn't need to reinstall.

I've seen compromised OS X boxes personally, so stop with the "no OS X box has been hacked" stuff.

Technically, the firewall isn't an independent process, so you can't directly query its "running" status. If you want to determine whether or not your firewall is "running", all you're really attempting to ascertain is if you're blocking any ports. Think of it as a binary operation: either you're wide open or you're not (and there are ports being blocked--number is irrelevant).

There are three basic tests you need here:

1. Is there only one ipfw entry?

2. Is the rule number 65535?

3. Does the rule state "allow ip from any to any"?

If all three conditions are true, you're wide open. This is might be more solid than checking on ipfwloggerd, and perhaps more portable, as it doesn't rely on ipfwloggerd to be running. (You never know who's going to use your code where.)

Use this as a base for a stronger script and add whatever reactions you'd like it to have upon whatever output you want it to spit out. (This is an "on run" script, so feel free to modify it to behave in an "on idle" situation to suit needs.)

Before we begin, it's important to note that when you're dealing with shell commands, even in AppleScript, you should always use /full/path/names to avoid $PATH exploits. See this post:

http://bbs.applescript.net/viewtopic.php?pid=52253#p52253


on run

set firewallState to do shell script ("#!/bin/sh

echo=/bin/echo
grep=/usr/bin/grep
ipfw=/sbin/ipfw
wc=/usr/bin/wc

ruleSet=`$ipfw show`

if [ `$echo \"$ruleSet\" | $wc -l` == 1 ] && [ `$echo \"$ruleSet\" | $grep -e '^65535' &> /dev/null ; $echo $?` == 0 ] && [ `$echo \"$ruleSet\" | $grep -e 'allow ip from any to any$' &> /dev/null ; $echo $?` == 0 ]
then
$echo \"firewall is currently allowing all traffic in and out\"
else
$echo \"firewall is currently denying traffic\"
fi

exit") with administrator privileges

return firewallState

end run

If any of the other shellheads around here can think of improvements to the script, definitely chime in. Hayne, I'm looking at you. ;)

If any of the other shellheads around here can think of improvements to the script, definitely chime in. Hayne, I'm looking at you. ;)

How do you use yours without the "with administrator privileges"

If the script is going to be used for a auto alert for when you forget to
turn the FW back on

If you take it out your script gives false readings

Cheers.

To get proper information from ipfw about the state of the packet filter, you have to execute the ipfw command as superuser.


sh-2.05b$ ipfw show
ipfw: socket: Operation not permitted

If your return value isn't too long, it will only ask you once for authentication unless you quit the script. Example:

on idle
set hurp to do shell script "/usr/bin/w" with administrator privileges
display alert "What's new, pussycat?" as informational message hurp
return 10
end idle

I'm not sure what the timeout is on AppleScript's "administrator privileges". It doesn't use sudo, which is 5 minutes by default, instead using SecurityServer (which provides AuthorizationExecuteWithPrivileges() to give script commands administrator privileges and AuthorizationCopyPrivilegedReference() for each successive request for those privileges) to gain elevation. I /believe/ the timeout is identical to the sudo default, but I cannot confirm this.