[MacTUG] a hacked lab mac?

Tue Mar 22 09:40:13 EDT 2011

Hi guys,

I am experiencing something that I have never had to deal with before, and that is the possibility that an admin account on one of my lab Macs has been cracked. There is a machine in the lab that my main admin account that has has the password changed or corrupted. The Mac has an open-firmware password (and one that is different than the admin password), so it is not as simple as someone bringing in a OS X disk and booting from it to reset a password.

I am going to pull the machine for a while and would like to try to figure out what is going on. Can anyone give me some hints as to where to look forensically for any clues?

I doubt I can catch who did this but I would like to at least have a clue how they did this. Likely I will replace this password in my labs (ASAP) anyway, but it would be nice to have an idea whether the password is known before it was reset. It is certainly possible that someone used a low-tech solution (such as spying when someone was typing in the password). So, for example, if I could tell from the logs that the password was reset in the normal manner — where you type the old password and then enter the new one — that would be of interest. If I could determine whether it was happening locally or remotely that would be of use as well.

We do have video cameras in that room, so if I could get a time stamp on things, that may be useful as well.

Lastly, if anyone can think of a way that a password could become corrupted without some evil student being involved, that would be really awesome.

BTW, I still can log on to the machine as an admin, as I enabled Root and that account has not had it password changed. We rarely use the Root account (it is just there as a back door for me for this kind of purpose) so I am guessing that whoever did this did not know it was enabled.

At any rate, any tips or suggestions would be appreciated…
don

------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
http://www.environment.uwaterloo.ca/computing/people/don.html
------------
To request help from MAD please us Request Tracker. For info see: http://www.environment.uwaterloo.ca/computing/faculty_staff/<http://www.fes.uwaterloo.ca/computing/faculty_staff/>
------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.uwaterloo.ca/pipermail/mactug/attachments/20110322/8caa45a4/attachment.html 