MacOS – My iMac has been hacked via sshd. What now

macosSecurityssh

My iMac runs Mac OS X Yosimite 10.10.1

I accidentally had "Remote Login" enabled in my Mac's system preferences, so the sshd was running.

I just notified in Little Snitch's network monitor window, that it logged about 90 connections from different servers to sshd. I checked the ip addresses on http://ipinfo.io and all the logged ip addresses are located in China, Hong Kong and South Korea.

It seems to be pretty bad.

I looked around a little bit in the available network protocol of Little Snitch and found out, that the ip addresses appearing in the sshd log also appeared in the logs of several other processes, including

  • sh
  • DDService64d (apparently DDService64d is part of the Drobo
    Dashboard – I have a Drobo 5N installed in my LAN)
  • launchd

all with user "root" (including the sshd logs).
I thought user root was disabled by default on Mac OS X, but this might all be results of the hack…

So the question now is how to proceed?

  • Of course I switched off "Remote Login" (sshd) on the machine.
  • I disabled the root user with the "dsenableroot -d" terminal command
  • I changed my admin password

I use a cable modem for internet connection (FritzBox 6360). UPnP is switched on (and I use this feature for several apps).
There where several mappings to port 22. I removed all these.

But probably this won't be enough.

Since my computer definitely is compromised I don't really trust it anymore.
What should I do now? Erase the whole thing and re-install all new?
That would be a huge amount of time going down the drain.

And what's about the DDService64d access?
Is my Drobo 5N also compromised? Is there a way to check this?

My TimeMachine backup is also saved on the Drobo 5N, so even if I decide to erase the computer and start all over again, how can I be sure, that it isn't compromised again by the TimeMachine backup on the Drobo?

Any advice?

Best Answer

If you are absolutely certain that your Mac has been hacked I'd strongly recommend that you erase your hard drive, reinstall OS X and manually copy you data back from Time Machine:

  1. Back up your Mac.
  2. Restart and hold Command+R to enter OS X Recovery (http://support.apple.com/en-us/HT4718).
  3. Select 'Disk Utility' and reformat your hard drive (http://support.apple.com/kb/PH5849).
  4. Quit 'Disk Utility' and select 'Reinstall OS X'. Note that (from http://support.apple.com/en-us/HT4718):

    Reinstalling OS X using Recovery requires broadband access to the Internet using a Wi-Fi or Ethernet connection. OS X is downloaded over the Internet from Apple when OS X Recovery is used for reinstallation. You must use DHCP on your Wi-Fi or Ethernet network to reinstall OS X using OS X Recovery. If you bought OS X from the Mac App Store, you may be prompted to enter the Apple ID and password you used to purchase OS X.

  5. When OS X is up and running, plug your external Time Machine drive, open it in Finder, open the folder named after your Mac and then the 'Latest' folder (http://www.macissues.com/2014/04/14/how-to-restore-files-from-time-machine-manually/).
  6. Browse to 'Applications' and copy non-Mac App Store applications back to '/Applications'. Note that some apps (for example VMware Fusion) won't work properly if copied, you must reinstall them with the installer provided by the manufacturer.
  7. Install Mac App Store applications from the App Store.

  8. Browse to 'Users/[your username]' and copy Documents, Pictures, Movies, Music, and any other folder that contains important data to your new home folder.

  9. I would refrain from copying 'Library', although that's where your settings are located. If you have iCloud Mail, Contacts, Calendars, Reminders, Safari, Notes and Keychain synchronization enabled most of your settings will rebuild themselves just fine. You may want to selectively copy application settings from 'Library/Application Support' after checking the files' contents.

  10. If you share your Mac with other people repeat steps 8. and 9. for their accounts.

iCloud synchronization is especially important for Keychain, and I talk from experience: I had a pretty hard time exporting and importing Keychain after installing OS X Yosemite from scratch without restoring from a Time Machine backup.

A piece of advice: It is best practice that the login account you use on a daily basis doesn't have administrative rights. You should create an administrative account instead. I usually call it admin:

enter image description here

while my account is 'Standard'. The side effect is that OS X will prompt you to type admin's password every now and then, for example to edit settings in System Preferences:

enter image description here

Good luck!

Related Question