oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Mac Security: Identifying Changes to the File System
Pages: 1, 2, 3, 4

What to Do if You Have Been Rooted

If you have been rooted, then you are truly buggered, as we say in England. All that a tool can do is confirm what you've only suspected. There's no program that will clean your system beyond identifying the programs that the rootkit replaced. But a rootkit is only the starting point, and no tool can know what the hacker might have done to your system.

Have they changed your Apache configuration? Have they placed a script in your cgi directory that's waiting to be run to re-infect you? Have they placed a key of their own in your SSH keys file to allow themselves to log in? Have they set up a cron job to see if they have been removed and automatically re-infect you?

There are just too many unknowns, and little you can do to regain control of your system unless you know each and every file that has been compromised. Unfortunately, the hacker is the only one who knows, and he's not telling. This is what you do:

  1. Turn your computer off.
  2. Disconnect it from the internet.
  3. Boot from your installation CD and select an install that preserves the User directories.
  4. Once the install is complete, copy any user data you want to keep to an external drive. Do not copy any executable files.
  5. Reformat your hard disk and do a completely virgin install.
  6. Connect to the internet and run SoftwareUpdate until there are no more updates.
  7. Reload the user data you saved.
  8. Reinstall your applications from their original CDs or download them anew.
  9. Make a backup.

Yes, you have just wiped your hard disk, and no, there isn't another way. If the file is executable, be it a shell script, Unix command-line tool or Macintosh application, you can no longer trust it unless you download it from a reliable source or install from CD. Even your backups are of limited use. Unless you know the exact day that your system was hacked, you do not know which backups are clean and which are compromised. So get the user data from the backups, but not the applications.

The problem now is that your system is in the same state that it was when the hacker broke in. What's to stop them from breaking in again? Nothing, if you have duplicated your original setup. So let's do a quick review:

  • What services were you exposing to the internet? Windows Sharing? FTP access?
  • Have you got a weak password?
  • Did you tell someone what your password was?
  • Did you have Internet Sharing turned on?
  • Were you sharing your AirPort card?
  • Did you have the firewall turned off?

Choose a better password, make it longer, with mixed case, numbers and special characters. and tell no one. Turn sharing off and the firewall on. For now, at least, turn off all of the services you can. Once you have calmed down and the hacker has given up and moved on to someone else's machine, you can turn them on if you need to.

If you have a backup that you absolutely know was not compromised, it is possible to replace each file with a clean copy. You can then hunt down any suspicious files that are on your hard disk and remove them. But let's be realistic for a moment; your Macintosh has hundreds of thousands of files. Do you know each one by name, and what they should look like? Reformat your disk, and you will sleep much better.

Using our Scripts

I have a daily cron entry that runs just after my daily backup to create a report and a new specification file. This is run from the root crontab:

0 2 * * * /usr/local/bin/mtree_check; /usr/local/bin/mtree_build

I also keep a copy of the scripts, mtree itself, and a known specification file on a USB flash drive in case I feel the need to be absolutely sure everything is OK.

Other Tools

Our exploration of mtree has provided us with a useful tool to detect a rootkit on our system, but there are others available. Brian Hill has a tool called CheckMate that checksums critical system files and can alert you when they change, all nicely packaged up as a control panel. If you do not feel confident in your scripting skills, but want to be prepared, this will help.

Of the tools mentioned earlier, only Rootkit Hunter can be downloaded, installed, and run without having to dive into the code. It also doesn't spit out error messages for no good reason. It monitors critical system files and does other checks for signs of rootkits. Although not as functional on the Macintosh as it is on Linux, it is in active development and what it does it does well.

Final Thoughts

All of this effort, and there is no rootkit for the Macintosh. It is only a matter of time before one of the BSD rootkits becomes adapted for the Mac, and hackers start to target the Macintosh more aggressively. The Macintosh is a Unix box, and Unix boxes have rootkits. The conclusion is hard to avoid. One day there will be a Macintosh rootkit, and when that day comes, we will be ready. Besides, we now have a nice tool that we can run before and after installing a new application to see what files it installs and where, which will help with cleaning up after when we uninstall it. A bonus for our paranoia.

Peter Hickman is currently working as a programmer for Semantico, which specializes in online reference works and Access Control Systems. When not programming or reading about programming he can be found sleeping.

Return to the Mac DevCenter