[l008com]

I'm home network is in shambles right now. I was having troubles last night and just shut things down and when i woke up this morning to take a closer look at things, i found out that my G4 on my desk, my main computer, its hard drive was wiped clean, all but the "Users" folder, and a few files a few levels deep in it. I tried getting my iBook (which I write this on right now) on the internet and I coulnd't. I went to go check out my server, and it is in the same condition! All my fileson my 4 GB boot drive and my 120 GB storage drive are gone, except for the same few files a few folders deep in the "Users" folder. Plus, I have an old blue and white G3 around that was also having some major problems last night, but I was putting a new HD in it so i just did a fresh install of the Mac OS anyway. So Something hit two, possibly 3 of my computer at once and wiped them clean! My server has its own unique password, that I use for nothing else and nevergiveout for anything and is nearly impossible to guess. The odds that someone was able to hack into both computers at the same time and delete everything, isvirtually impossible. It could theoretically been a virus, but I don't actually know of ANY for OS X. My server is running only apple software, nothing third party except a VNC client, and BrickHouse firewall,neither of which the G4 is running,so I can't seehow it could have been some software that went bad. Both machines are on 10.2.6, the server is on the server version. So I tried every repair tool I could find, after I tired data rescue and norton to try adn recover some of the files, both could not see ANY of my missing files at all. I have a few day old CD backup of my web sites and SQL databases and apache config, other than that,everything else i backed up to my server. Plus I had about 40 GB of movies on there. I had all my emails since 1999 on my G4, well over 10,000 of them. Plus all the PSD files for all of the graphics on all of my web sites were on the G4. I am hurting big time here. Anyone know what the hell happened to me? How I can prevent it, and though I doubt its possible,how I may be able to recover any of my files?!?! I'm going to start reinstalling, becuase I have no choice,but that sucks becuase there goes any chance I may of had for recovering. This sucks

[Michel Fortin]

Some questions to help figuring out what happend...

You really mean even the System folder was erased?

By any chances, is there no invisible folder "/private/var/log" at the root of the hard drive?

How were you computers exposed to the internet at the time (what server programs and what kind of connection, and how where they connected togethers)?

What were the files left in the User folder?

[edit: chanded "/var/log" by "/private/var/log", "/var" is only a symbolic link on Mac OS X]

[l008com]

both systems were gone compeltely. My server was still running, but no services would work. Somehow I could connect via filesharing to my server but the drives were empty. My server is my router, its always on the internet directly, andi have no ports mapped so my G4 is pretty well hidden, only someone with ssh and someone knowing both passwords and addresses could get to it, but even then i don't know if itspossible to erase even teh active system files leaving only a system running in ram. No var, no log. In my user folders, there is only a folder formy one admin user in each, and in that only a library folder. In there there were a couple of folders with small random files each. Nothing major, some empty. I don't know exactly which ones.

[Michel Fortin]

"rm -R /" typed as root would produce exactly what you describe. Running programs continue to run from memory and may create files like preferences in the library folder (until they crash looking for a ressource on the disk).

So my first theory would be that:
Someone found your password. Maybe he was sniffing packets somewhere on the network and saw the password pass unencrypted (like using the FTP protocol). Then he connect using VNC to your account. He open the terminal and type "sudo rm -R /". That command erase everything. After that some already programs update (write) preferences files to the library folder.

He may have played with other computers on the local network resulting in what you have.

Of course, all this using VNC, but it is the same result as if someone did this directly in front of the computer. Logging in using SSH would not have left files in your user directory.

[l008com]

I don't see how that would be possible, they would have to be on my network right? I know no one has plugged into my network, and no one as broken into my house. Plus the G4 doesn't have VNC on it.

[Michel Fortin]

If you update your website by ftp from a computer elsewhere on the internet you password will be transmitted in clear text over many networks. If you use ftp only on your local network then it won't go elsewhere. But it's not necessarily practical to sniff network packets to find a password.

And once someone has root control of one computer on the network, he is on the network.

I don't know your setup exactly so that was only the best theory I could come up with up to now based on what I know. I just hope it helps come closer to what really happend.

And now that I think of it, if someone is logged-in (like you did not logout and left the computer) while the erase all command is issued with a SSH connection then it would also probably leave some files in the User directory too.

I think the creation and modification time of the files left may be a good hint of the order things happened... That information may be useful if you sill have them.

[l008com]

ill check the file mod dates, but as far as ftp goes, its enabled, but i don't think ive ever used it from outdie my network. My G4 has a different password than my server,so even if someone ssh's into my server, they'd still have to guess my G4's password too. Its an amazin feat, if i did get hacked. As far as being logged in, I always stay logged in to my server. Am I any more secure if I log out, not counting people who have physical contact with the computer. Am I more secure over the net?

[l008com]

yup all files were created right around the time this happened. I just don't see how someone could have managed to hack into both of my systems. But if they did the rm -r / thing, then how come none of my data recovery tools were able to see any of my files?

[mrmister]

That is stone-cold crazy. Please keep investigating!

[Angus_D]

Originally posted by l008com:
Am I any more secure if I log out, not counting people who have physical contact with the computer. Am I more secure over the net?

No. You don't use an administrator user for day-to-day work, do you?

Originally posted by l008com:
But if they did the rm -r / thing, then how come none of my data recovery tools were able to see any of my files?

rm, just like deleting files in the Finder, just removes the catalog entries for the files. The data is still all there, but nothing knows where it is.

[teknologika]

Whilst I am not going to dismiss a hacker, most hackers would have some form of ethics and not just wipe an entire system clean, they might make a mess, but not blow the whole thing away. So I think that it is unlikely. Definitely possible but unlikely. But I'm not a hacker so I really don't know what makes them tick.

Was the file server's drive "mounted" onto the other system ?

The reason that I ask is that because a mounted servers drive is effectively a directory in \Volumes on the local machine. This should allow a "rm -rf /*" (or similar), as root should ( I say should because I am not about to test it myself ) delete all the files on the local system and the mounted drive.

[wadesworld]

Whilst I am not going to dismiss a hacker, most hackers would have some form of ethics and not just wipe an entire system clean

Oh, spare me the galant hacker speech.

Anyone who breaks into a system that does not belong to them for any purpose does not understand the concept of ethics.

Wade

[Millennium]

If you want to recover your files, your only bet may be to send the disk to DriveSavers. They're not cheap, but they're better than anyone else out there.

As for how this could have happened, you're right that the odds of someone hacking into two machines at the same time and wreaking havoc are fairly slim, though it remains possible. There are no known viruses for OSX, so this remains unlikely.

That leaves two possibilities: buggy shell scripts and actual hardware trouble. Buggy shell scripts cannot be ruled out at this point, because many Unix programs use shell scripts as installers, as do many program's using Apple's Installer technology. Had you tried to install anything on these machines recently? Keep in mind that "I use only Apple software" doesn't render you immune, since Apple uses its own Installer.

The other possibility is hardware failure. You mention that you have a G4 machine, which is a strike against the idea of hard-drive failure (those machines are new enough that the hard drives should not be failing yet). Have you had any extraordinary power surges in the area recently?

[BimmerBoy79]

Just out of curiousity, what ports were exposed to the internet from your server? I would assume you would have been running a firewall on the server and only allow ports such as port 80 etc. (only the services that people would need to use from outside your network).

But if you were not running a firewall, that would leave you wide open (per-say) for people to access AFP ports and the like.

So, I guess my point is if you were running a firewall it would likely rule out a hack...not 100%, but you would at least be able to figure out which ports they could have used.

Michael.

PS -- Just re-read the original post...you were running a firewall...so which ports where closed/open to the internet?

[coolmacdude]

Originally posted by Angus_D:
No. You don't use an administrator user for day-to-day work, do you?

Oh please. Almost everyone who is the only user of their system does that. It should not be a security risk.

[mrmister]

This is a puzzling case. I haven't the faintest idea of what you should do next.

Data Recovery X should be able to get your data, if you haven't ****ed with the disks much--it scans for lost stuff w/o the catalog.

[Graymalkin]

Originally posted by wadesworld:
Oh, spare me the galant hacker speech.

Anyone who breaks into a system that does not belong to them for any purpose does not understand the concept of ethics.

Nice ridiculous bias you've got there.

[alphamatrix]

Yikes! that really sucks. Makes me curious, I hope you get it all figured out.

[wadesworld]

Originally posted by Graymalkin:
Nice ridiculous bias you've got there.

Bias against people who illegally break into the computers of others is "ridiculous?"

Wade

[Spheric Harlot]

Originally posted by Graymalkin:
Nice ridiculous bias you've got there.

Your moral compass is out of whack.

[Angus_D]

Originally posted by coolmacdude:
Oh please. Almost everyone who is the only user of their system does that. It should not be a security risk.

If you're really security conscious, you shouldn't. I do it myself, most of the time, but then I'm not overly worried about battening down the hatches.

[teknologika]

Originally posted by wadesworld:
Oh, spare me the galant hacker speech.

Of course it's unethical, but there is even "honor amongst thieves", and my point was that yes a hacker MAY have wiped the whole thing, but it is not the MOST LIKLEY cause, IMHO, not that hacking was ethical.

So I would investigate all possibilities and keep an open mind and not just instantly assume "oh it's a hacker", even though it may well turn out to be one in the end. Although it seems that there is not going to be enough evidence to ever know unfortunatley for l008com

[kingskel]

1. Do you have kids?

2. Was the G3 that you were putting the new hard drive & OS on also on the network?

3. Data Rescue and Norton not being able to recover/see any files makes me wonder if they're still there, but invisible - possible?

4. The VNC / hacker possibility shouldn't be discounted. Did you have any passwords stored in a text file on the computer?

5. Do you use any P2P programs? These sometimes allow unwitting access to stored password files.

No solutions, sorry, but some things to consider....

Good luck with your troubleshooting & recovery - don't give up!

[l008com]

I tried Data Rescue and norton's data recovery thing, neither found anything. And i know that you cannot get root access to fiels mounted over afp, so the rm command couldn't have gotten both that way. As for a firewall, my router firewalls the rest of my network, with no mapped ports, but my server is completely open, and with reason, i use afp to get to my server from outside my house and i use ssh from out in the world too, nothing was open that wouldn't still be open if I had a specific firewall. I have no kids and i know for a fact no one physically did this form in front of the computers, i was on the G4 when it happened. The G3, yes, is on the network. And it was while I was working on it that this happened, as far as i can tell. I haven't installed any software on the server in a long time. And there was something else but i forget what. I know the G4's drive is the original and i bought the machine new, and the big drivein the server is only a year or so old. There was something else but i forget what ill post again when i remember. It seems unlikely that it was a hacker jsut becuase of the impossibility of them getting both my passwords AND they would have left something, some sort of 'signature'.

[trusted_content]

Wow man, that's terrible. Sorry for the loss of all your files, I can't imagine how hard hit you must be.

I'm going to have to agree that it sounds like a remote login plus 'rm -rf /*'. I would also follow the previous advice and check /private/var/log for any log entries that may be helpful in catching who did it, although any intelligent cracker would have run a rootkit as well to cover his tracks.

At this point, I would be trying to figure out if I had any enemies

[l008com]

private/var/log is gone
as for right now, I turned off SSH, which is a problem for me, but not as much of a problem as loosing 5 years worth of EVERYTHING is

[mrmister]

Hmmmm.

Did you apply any of those G4 firmware drive updates that came out recently?

[l008com]

Originally posted by mrmister:
Hmmmm.

Did you apply any of those G4 firmware drive updates that came out recently?

Actually, oddly enough i did just recently run that one for the G4 hard drive that is supposed to "extend the life of your hard drive" right unless your me i guess. But I don't think that was it because theres no way this machine could have taken out my server too.

[Rainy Day]

It sure sounds like you were hacked. Anyhow that is the most plausible explanation at this point. The fact that two different computers were hit at nearly the same time is far too coincidental for it to be likly due to a virus or trojan horse, or almost any other cause other than a deliberate, conscious attack.

Before i put up a server, i did extensive research on security. I was amazed to learn how many ways there are to compromise a system. I too had assumed - incorrectly - that all i needed to do was protect my passwords. But it's not just about gaining account names and passwords. Attacks can be made through web and eMail servers, BBS software, PHP, etc. without ever learning a password. Some of these attacks might give the attacker the means to learn account names and/or passwords.

I also learned, by analyzing my log files, that the bad guys are out there "shooting in the dark" hoping to get lucky.

Typically, once a hacker gains access to one computer on a network, he (or she) will first do a little recon work to see what other systems might be lurking on your LAN. You see, gaining access to one computer on a network puts all the others at risk; it's a foot in the door. So your attacker may have been poking around on your network for a while (maybe even days or weeks) before launching the attack. More than likely, tidbits of info were to be found on your HD which assisted in mapping out your network, and maybe providing clues for the attacker.

I would hazard a guess that the attacker was able to get an account name and password. One of the easiest ways for an attacker to get this info is from someone logging in via FTP. Account names and passwords are sent in the clear. It's also possible the attacker used an exploit which caused your password file to be mailed to him (or her). If your password was a word or combination of words found in a dictionary in any language, your password would have been easily cracked.

How to protect against future attacks? There are a number of things which should be done.[list=1][*]Use strong passwords containing random letters, numbers and puncutation marks. Best to use some kind of mnemonic to remember it by. [*]Disable FTP. Use SSH with public encryption key pairs instead (disable password access for SSH). Consider adding password access to the encryption key, however.[*]Always assume your server has been compromised; never trust it and never leave sensitive data on it.[*]Use a hardware firewall at your point of connection to the InterNet, and if you run a server, use another hardware firewall router between the server and your local network (i.e. create a hardware DMZ for the server; do not use a software DMZ). [*]Close all ports, and only open the ones you need for the services you provide.[*]Never allow your server to automatically connect to one of your computers on your LAN.[*]Software "firewalls" are not true firewalls. While they offer some protection, they do not offer the level of protection that a dedicated, SPI (stateful packet inspection) firewall does. Note: Contrary to what some might claim, NAT - in and of itself - is not a true firewall and only offers limited protection. This Secure BroadBand Router is an example of a true SPI firewall.[*]Always backup your HD to off-line media, such as CD-R or DVD-R.[*]Analyze your log files.[*]Use some kind of intruder detection scheme/software[*]Read a good book on security, such as the O'Reilly book Practical Unix & Internet Security, 3rd Edition[/list=1]

[greener]

Did you install iTunes 2 by any chance? I remember its installer having that issue. On the same note, what were your disks called? Did they include spaces?

Or was it iTunes 3?

[CarpetFluff]

Not that this is going to help the poor guy that lost all his hardware but attacking a guy for saying hackers have ethics is extremely ignorant.

To have ethics is to have a set of moral principles, they might not be the same as yours or the same as most peoples but it is nonetheless a set of ethics.

To say 'Hackers have a set of ethics" is not a statement in support of hackers, it is merely a fact.

To say "I dig the whole hacker ethic" is a statement in support of hackers.

Get it?

[wadesworld]

Originally posted by CarpetFluff:
Not that this is going to help the poor guy that lost all his hardware but attacking a guy for saying hackers have ethics is extremely ignorant.

To have ethics is to have a set of moral principles, they might not be the same as yours or the same as most peoples but it is nonetheless a set of ethics.

To say 'Hackers have a set of ethics" is not a statement in support of hackers, it is merely a fact.

To say "I dig the whole hacker ethic" is a statement in support of hackers.

Get it?

Nope, that's semantics.

The general definition of one who is ethical would be one that acts with integrity. Certainly one that breaks into the computers of other people cannot be classified as one with integrity.

The problem with your argument is it's an argument of convenience - i.e. if I don't feel like doing what it takes to be ethical, I'll just redefine what ethics means. According to your thinking, serial killers have a set of ethics too, and are therefore, ethical people.

Wade

[Rainy Day]

The American Heritage Dictionary defines ethics as:

1. A set of principles of right conduct.
2. A theory or a system of moral values.

and hacker as:

1. One who is proficient at using or programming a computer; a computer buff.
2. One who illegally gains access to or enters another's electronic system

The word "hacker" covers a lot of territory and, as is true of stereotypes in general, any characteristic ascribed to hackers in general will not apply to all of them. Everyone has their own "code of ethics," even people who hijack airliners and fly them into buildings. Having a "code of ethics" doesn't mean others won't perceive your actions as evil, nor that your behavior isn't criminal.

Some hackers may want to leave a calling card or tag, but many will not. For some, their calling card is the ashes which remain behind. Many hackers are criminals. Using the word "hacker" to describe an intruder soft pedals the criminal aspect because some hackers are just harmless computer geeks, not criminals. Breaking and entering is a crime, even if you leave the place immaculate and unchanged afterwards. Burning it down when you leave is clearly a malicious crime. Ironically, the former may be the more severe, depending upon your perspective, if private information (e.g. bank accounts numbers) were stolen and there is no trace that a crime was committed.

The thing about the InterNet is that everybody is your next door neighbor. There are no "good neighborhoods" with less criminal activity. All the larcenists and arsonists are just as likely to target you as anyone else. Better have good locks on the doors, and a nice secure fireproof fortress. A moat stocked with alligators is a good idea as well.

[l008com]

No no iTunes 3 or 2, and yes all 4 of the drives had spaces in the names, whats that have to do with anything? All HD's have spaces in thier name when they come from apple. Like in new computer I mean.

[gethigh]

Originally posted by l008com:
No no iTunes 3 or 2, and yes all 4 of the drives had spaces in the names, whats that have to do with anything? All HD's have spaces in thier name when they come from apple. Like in new computer I mean.

He/She is just talking about that installer bug for iTunes 2.0 (can't trust Apple either) that accidentally erased hard drives with spaces in their names IIRC because of a goof-up in the "rm line." Obviously, this didn't happen to you.

Anyways, I don't believe you mentioned anything about invisibility. Maybe your files can be seen while booted into OS 9 (assuming it can boot into OS 9) or "ls -la" (I assume you have done this already).

[:XI:]

I was going to point out that not backing up 5 years worth of stuff is asking for trouble. But then I looked a bit harder and saw that you backed up to your server. However, a server is just another computer and servers should get backed up too. Keeping all your stuff on a server and ONLY on the server is not a solution.

I feel for you a really do, but you won't let this happen again. I'm speaking from experience.

IF IT'S IMPORTANT BACK IT UP TO CD, OR BETTER YET, TWO.

[Rainy Day]

XI is absolutely correct: Backup to some kind of off-line medium. And have more than one copy (in different locations, just in case the building burns down, or something.) A server exposed to the InterNet is never a good destination for a backup, except perhaps as a redundant backup, assuming the data is encrypted. NEVER leave unencrypted confidential data on a server! Servers exposed to the InterNet must always be viewed as "compromised."

[Brass]

I've read through the entire thread, and didn't see any response to the question about whether or not your files are still there but just hidden. I think it extremely unlikely, but it's worth a check nevertheless. If you get up a terminal session and type "ls -la /" what do you see?

Although if you're Terminal application is also hidden, I don't know how you'd run it. If you can find some way of checking for hidden files it may help. Eg, copy the Terminal application from somewhere else.

Note that although some hackers are creative and very clever, many just use tools provided by others, and there is a lot of cooperation and information sharing between hackers. There is also a huge library of tools that hackers make available to each other. One such tool is a utility that will map your entire LAN, providing information about what machines are on your network, what operating systems each is running, and what services are running on each (including, but not limited to open ports), etc.

[l008com]

That hard drive is blank. 38 GB available. EMPTY. Plus the data recovery would definatly have seen all invisible files too. I have since given up and reinstalled both machines. Damn shame too, I don't know what I'm goona do now about so many things.

[Rainy Day]

if they did the rm -r / thing, then how come none of my data recovery tools were able to see any of my files?

They could have used the "-P" option. From man rm:

Code:
     -P          Overwrite regular files before deleting them.  Files are
                 overwritten three times, first with the byte pattern 0xff,
                 then 0x00, and then 0xff again, before they are deleted.

Edit: Typo

[l008com]

:-/
if i was hacked, I don't see how i can prevent it again, other then disabling SSH completely, which would really suck for me becuase i use it so much

[Rainy Day]

I think you were probably hacked, but there are a number of things you could do to improve security. I made several suggestions on my first post to this thread.

SSH is not the problem. It's very secure if used properly. But don't use password authentication for SSH; disable it; disallow it entirely! Use public key pairs exclusively. For added security, password protect your key. If you remotely access your system from a fixed IP, you can further tighten security by only allowing SSH access from a specific IP or range of IP's.

Also, invest in a couple SPI hardware firewalls and create a DMZ for your server. Software firewalls like Brickhouse are mere toys; they're not really to be trusted for serious security. They give one a false sense of security.

[l008com]

Originally posted by Rainy Day:
SSH is not the problem. It's very secure if used properly. But don't use password authentication for SSH; disable it; disallow it entirely! Use public key pairs exclusively. For added security, password protect your key.

I don't even understand that, can you elaborate?

[Rainy Day]

There are three ways to authenticate an SSH session: by traditional user name and password challenge, by originator IP address, and by a public key pair. The most secure of the three, by far, is the public key pair. Because IP addresses can be spoofed, that method is not as secure as it sounds. Traditional user name and password challenge is generally a poor choice because most people select weak passwords. Even with a strong password, however, public key pair is still many orders of magnitude more secure.

By default, SSH will accept a traditional user name and password challenge authentication if the public key authentication fails. If SSH is configured this way, one loses the advantages of public key authentication because your system is only as secure as its weakest link. By disallowing traditional user name and password authentication, only key pair authentication is permitted (assuming one has not turned on IP address authentication as an alternate method). Somewhat confusing is the fact that one may configure SSH to require both a public key pair and IP address authentication. Notice the "and" rather than an "or" there. Additionally, when generating a public key pair (or even at some later time), one may password protect a key (this is not the same thing as traditional user name and password challenge). This is done to protect the key itself. When this is done, a password must be entered before a key may be used to authenticate an SSH session. Without a password protecting the key, an SSH session may be initiated without entering a password. So long as you have control over the key, this is very secure. If someone should somehow get ahold of your key, however, they have access to your system (which is why you might want to password protect the key). It's late, i'm tired, and i know this may not be written as well as it might be; hopefully it makes sense though.

A google search on "SSH key pair" should yield lots of info on how to implement a key pair. Disabling traditional user name and password challenge is something which is often overlooked, however, and involves fiddling with the SSH configuration file. Unfortunately, the commands to do so vary depending on the version of SSH you're using, and i have not done it for SSH on MacOS X yet, so i can't tell you the exact way to go about it.

Actually, man ssh, man ssh-keygen and man ssh_config should yield lots of good info/reading.

[King Bob On The Cob]

He was a destructive hacker but it could've been much much worse. He could've just sat there logged in watching packets until a Credit Card number went though. If it was a hacker, it was most likely a 12-25 year old person. MAKE SURE EVERYTHING FROM NOW ON IS LOGGED. No unlogged traffic (have a router send all logs to a computer that is detached from the rest of the network (Make sure it has a different pass/id, never mounted. Probably just use an old Performa or something.)). Hackers will return to the scene to show their buds, see if they can do it again, ect. Then if you have some proof, file a report with their ISP, and law enforcement (even though they can't do anything they may be able to use this information later)

[Phanguye]

Originally posted by King Bob On The Cob:
have a router send all logs to a computer that is detached from the rest of the network (Make sure it has a different pass/id, never mounted. Probably just use an old Performa or something.)).

if the router can send it information then it can't be detached so much...

just set up and email account and have the router email you the logs

[Rainy Day]

He was a destructive hacker but it could've been much much worse. He could've just sat there logged in watching packets until a Credit Card number went though.

Or he could have done both. There's no telling how long he might have been in the system before torching the place. It's even possible he searched the HD and downloaded anything of interest first. Hopefully all that he did was torch the place.

[genevish]

Originally posted by wadesworld:
Oh, spare me the galant hacker speech.

Anyone who breaks into a system that does not belong to them for any purpose does not understand the concept of ethics.

Wade

Well, I would agree that most hackers wouldn't just wipe the system clean. However, that's simply because it's much more cool and sinister to covertly gain control of a system, rather than simply wipe a system clean.

[King Bob On The Cob]

Originally posted by Phanguye:
if the router can send it information then it can't be detached so much...

just set up and email account and have the router email you the logs

You can disable all traffic to and from it. (At least with Linksys routers) but still use it as a logging computer. (I have a Performa 6500 in the basement running Linux as mine)

[CheesePuff]

Originally posted by genevish:
Well, I would agree that most hackers wouldn't just wipe the system clean. However, that's simply because it's much more cool and sinister to covertly gain control of a system, rather than simply wipe a system clean.

omg omg omg wtf wtf bbq!! big signature!!