MacNN Forums (http://forums.macnn.com/)
-   Mac OS X (http://forums.macnn.com/mac-os-x/)
-   -   I think my iMac may have been compromised by that Java version 6 security issue (http://forums.macnn.com/90/mac-os-x/498790/i-think-my-imac-may-have/)

 
Sosa Mar 12, 2013 12:56 AM
I think my iMac may have been compromised by that Java version 6 security issue
A few weeks ago I thought I had downloaded the update to version 7 but after more strange behavior (freezing and just random issues) I checked again and apparently had version 6 the whole time. I checked using instructions from an article on Macworld on how to disable Java, deleting the JavaVirtualmachines folder from Library. Also went to preferences and unchecked "enable java" from the java security pane opened via Preferences/Java. It said however that Java was being disabled only on this browser as an administrator would be needed to disable it on all accounts on the iMac... well, I am the administrator?

So, how do I check if my computer has been compromised? How do I find out if someone has gotten root access?

Console is giving me messages such as:
3/11/13 11:56:58.111 p.m. sandboxd[421]: ([419]) mdworker(419) deny mach-lookup com.apple.ls.boxd
3/11/13 11:56:58.000 p.m. kernel[0]: Sandbox: sandboxd(421) deny mach-lookup com.apple.coresymbolicationd

Also system update has for the last few weeks given me an error message on an update to iTunes 11.0.2...
3/12/13 12:01:06.967 a.m. iTunes[442]: _NotificationSocketReadCallbackGCD (thread 0x7fff77923180): Unexpected connection closure...


Thanks,

Sosa
 
Sosa Mar 12, 2013 02:00 AM
Ok, I was able to install version 11.0.2 (26) of iTunes after following this thread:
https://discussions.apple.com/message/21364627#21364627

Also changed to password of the root account and deleted one user account that was running programs even though the user was logged off. Of course Activity Monitor still shows one process from "nobody" called warmd and a whole bunch of other processes not mine including many root processes, is this normal?
 
BLAZE_MkIV Mar 12, 2013 02:36 AM
I have a warmd running under the user nobody. Just an FYI those java exploits were for the java browser plugin. You don't need to delete java itself just the plugin. How often do you open jar files from strangers, I'd bet never.
 
Sosa Mar 12, 2013 03:04 AM
Well I've done a lot of checking using F-Secure's website articles and it doesn't appear I had the Java infection, but I'm still getting these console log messages:

3/12/13 2:03:55.972 a.m. mdworker[1454]: Unable to talk to lsboxd

3/12/13 2:03:56.024 a.m. sandboxd[1456]: ([1454]) mdworker(1454) deny mach-lookup com.apple.ls.boxd

3/12/13 2:03:56.000 a.m. kernel[0]: Sandbox: sandboxd(1456) deny mach-lookup com.apple.coresymbolicationd

Wish I knew what it meant!
 
Thinine Mar 12, 2013 03:39 AM
Those are relatively normal log messages which just mean that parts of the system aren't getting the correct sandbox rules. Shouldn't affect anything aside from repeated log messages.
 
All times are GMT -4. The time now is 08:33 PM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2016, vBulletin Solutions, Inc.


Content Relevant URLs by vBSEO 3.3.2