help interpreting response to shell command


Joined
May 5, 2012
Messages
5
Reaction score
0
I am trying to determine if my mac has been hacked. My online research led me to use this sudo command:
Last login: Fri May 4 17:10:55 on ttys001
Macintosh:~ blueyes1005$ sudo -l ; exit;
Password:
Matching Defaults entries for blueyes1005 on this host:
env_reset, env_keep+=BLOCKSIZE, env_keep+="COLORFGBG COLORTERM",
env_keep+=__CF_USER_TEXT_ENCODING, env_keep+="CHARSET LANG LANGUAGE LC_ALL
LC_COLLATE LC_CTYPE", env_keep+="LC_MESSAGES LC_MONETARY LC_NUMERIC
LC_TIME", env_keep+="LINES COLUMNS", env_keep+=LSCOLORS,
env_keep+=SSH_AUTH_SOCK, env_keep+=TZ, env_keep+="DISPLAY XAUTHORIZATION
XAUTHORITY", env_keep+="EDITOR VISUAL", env_keep+="HOME MAIL"

User blueyes1005 may run the following commands on this host:
(ALL) ALL
logout

followed by the dscl . list/users which reads:

Last login: Fri May 4 17:05:37 on ttys001
dscl . list/users ; exit;
Macintosh:~ blueyes1005$ dscl . list/users ; exit;
dscl (v10.7)
usage: dscl [options] [<datasource> [<command>]]
datasource:
localhost (default) or
localonly (activates a DirectoryService daemon process
with Local node only - daemon quits after use
<hostname> (requires DS proxy support, >= DS-158) or
<nodename> (Directory Service style node name) or
<domainname> (NetInfo style domain name)
options:
-u <user> authenticate as user (required when using DS Proxy)
-P <password> authentication password
-p prompt for password
-f <filepath> targeted file path for DS daemon running in localonly mode
(example: /Volumes/Build100/var/db/dslocal/nodes/Default)
(NOTE: Nodename to use is fixed at /Local/Target)
-raw don't strip off prefix from DS constants
-plist print out record(s) or attribute(s) in XML plist format
-url print record attribute values in URL-style encoding
-q quiet - no interactive prompt
commands:
-read <path> [<key>...]
-readall <path> [<key>...]
-readpl <path> <key> <plist path>
-readpli <path> <key> <value index> <plist path>
-create <record path> [<key> [<val>...]]
-createpl <record path> <key> <plist path> <val1> [<val2>...]
-createpli <record path> <key> <value index> <plist path> <val1> [<val2>...]
-delete <path> [<key> [<val>...]]
-deletepl <record path> <key> <plist path> [<val>...]
-deletepli <record path> <key> <value index> <plist path> [<val>...]
-list <path> [<key>]
-append <record path> <key> <val>...
-merge <record path> <key> <val>...
-change <record path> <key> <old value> <new value>
-changei <record path> <key> <value index> <new value>
-diff <first path> <second path>
-search <path> <key> <val>
-auth [<user> [<password>]]
-authonly [<user> [<password>]]
-passwd <user path> [<new password> | <old password> <new password>]

MCX Extensions:
-mcxread <record path> [optArgs] [<appDomain> [<keyName>]]
-mcxset <record path> [optArgs] <appDomain> <keyName> [<mcxDomain> [<keyValue>]]
-mcxedit <record path> [optArgs] <appDomain> <keyPath> [<keyValue>]
-mcxdelete <record path> [optArgs] [<appDomain> [<keyName>]]
-mcxexport <record path> [optArgs] [<appDomain> [<keyName>]]
-mcximport <record path> [optArgs] <file path>
-mcxhelp

logout

[Process completed]

My understanding is that the second command should reveal all the accounts existing on my mac, but I can't make any sense out of this...can someone please help?
 
Ad

Advertisements

Joined
Nov 26, 2010
Messages
3,558
Reaction score
50
Not really, what are you trying to do?

Hacked, in what way hacked, there is no command "Is my Mac Hacked?" you need to know what you're looking for.

What OS version are you using? and are all your Software Updates done?
 
Joined
May 5, 2012
Messages
5
Reaction score
0
Yes, software updates are always current, as on my profile, Mac OS X 10.7.3.
From eHow:
A hacker can gain access to your Mac by a variety of means, including social engineering and security vulnerabilities in the Mac OS X operating system or in installed applications. However, all of these methods result in Mac OS X keeping a log of the usage of each user account in the computer -- legitimate or illegitimate. You can access those system logs to determine whether your Mac has been used (locally or remotely) without your authorization.

Difficulty: Moderately Easy
Instructions
1
Log in to your Mac OS computer using your regular user account.
2
Click "Applications" and then "Utilities."
3
Double-click on "Terminal." A new window will open, with a prompt for text-mode commands.
4
Type the following command into the Terminal window:
sudo -l
Press "Enter," type your password and press "Enter" again.
5
List all accounts existing on your Mac by typing the following command into the Terminal:
dscl . list /users
Press "Enter." Mac OS X will list all existing accounts on the computer.
6
Check whether any account has been created without your permission by verifying that all accounts in the output of "dscl" have been created legitimately. If there are additional accounts, they probably have been created by a hacker.
7
Check whether an account has been misused by typing the following command into the Terminal:
last
Press "Enter." For each account, Mac OS X will list the time and date of the last login to all existing accounts. If the most recent login to any of the accounts happened at an abnormal time, it probably was done by a hacker masquerading as a legitimate user.
What I am trying to interpret is whether my personal account "blueyes1005" is the only account on my mac. Thank you for your help.
 
Joined
Nov 26, 2010
Messages
3,558
Reaction score
50
Every Mac has all manner of accounts, there are 11 on my Mac. If you don't know whats meant to be there, how do you know whats been made without your knowledge?

If you on 7.3 with all the Updates installed then you are probably good.

Why do you think you're not?
 
Joined
May 5, 2012
Messages
5
Reaction score
0
I was hoping someone on this forum would understand the shell command and response, that is why I posted the question. I have found changes on my computer that I know were not related to my activity nor related to a software update. I also have personal reasons for considering that someone else would have this motivation. Thank you again for your help.
 
Joined
Nov 26, 2010
Messages
3,558
Reaction score
50
If you believe this then you need to act. There is no way to disprove this.

Backup your Files.
Reinstall OS X
Restore Your Files
Have a Admin Account with a secure password.
Only use your account as Standard Account.
 
Ad

Advertisements

Joined
May 5, 2012
Messages
5
Reaction score
0
Thank you. It would appear this is the correct approach. It sounds like if I follow your recommendation I will both resolve any prior issue and prevent the possibility of any future invasion. I will follow your advice and I do appreciate your candor. Thank you, this is a serious matter, really.
 
Joined
Nov 26, 2010
Messages
3,558
Reaction score
50
I agree, very serious. I've been there too and its a real pain, but there is no other real solution.
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top