My iMac runs Mac OS X Yosimite 10.10.1
I accidentally had "Remote Login" enabled in my Mac's system preferences, so the sshd was running.
I just notified in Little Snitch's network monitor window, that it logged about 90 connections from different servers to sshd. I checked the ip addresses on http://ipinfo.io and all the logged ip addresses are located in China, Hong Kong and South Korea.
It seems to be pretty bad.
I looked around a little bit in the available network protocol of Little Snitch and found out, that the ip addresses appearing in the sshd log also appeared in the logs of several other processes, including
- sh
- DDService64d (apparently DDService64d is part of the Drobo
Dashboard – I have a Drobo 5N installed in my LAN) - launchd
all with user "root" (including the sshd logs).
I thought user root was disabled by default on Mac OS X, but this might all be results of the hack…
So the question now is how to proceed?
- Of course I switched off "Remote Login" (sshd) on the machine.
- I disabled the root user with the "dsenableroot -d" terminal command
- I changed my admin password
I use a cable modem for internet connection (FritzBox 6360). UPnP is switched on (and I use this feature for several apps).
There where several mappings to port 22. I removed all these.
But probably this won't be enough.
Since my computer definitely is compromised I don't really trust it anymore.
What should I do now? Erase the whole thing and re-install all new?
That would be a huge amount of time going down the drain.
And what's about the DDService64d access?
Is my Drobo 5N also compromised? Is there a way to check this?
My TimeMachine backup is also saved on the Drobo 5N, so even if I decide to erase the computer and start all over again, how can I be sure, that it isn't compromised again by the TimeMachine backup on the Drobo?
Any advice?
Best Answer
If you are absolutely certain that your Mac has been hacked I'd strongly recommend that you erase your hard drive, reinstall OS X and manually copy you data back from Time Machine:
Browse to 'Users/[your username]' and copy Documents, Pictures, Movies, Music, and any other folder that contains important data to your new home folder.
I would refrain from copying 'Library', although that's where your settings are located. If you have iCloud Mail, Contacts, Calendars, Reminders, Safari, Notes and Keychain synchronization enabled most of your settings will rebuild themselves just fine. You may want to selectively copy application settings from 'Library/Application Support' after checking the files' contents.
iCloud synchronization is especially important for Keychain, and I talk from experience: I had a pretty hard time exporting and importing Keychain after installing OS X Yosemite from scratch without restoring from a Time Machine backup.
A piece of advice: It is best practice that the login account you use on a daily basis doesn't have administrative rights. You should create an administrative account instead. I usually call it
admin
:while my account is 'Standard'. The side effect is that OS X will prompt you to type
admin
's password every now and then, for example to edit settings in System Preferences:Good luck!