The title kind of says it all… I was in the process of bringing up a rather extensive set of Mac OS X Server machines when ShellShocked hit the world. As soon as I saw the news, I hastily began configuring the PF firewall. Probably too hastily, as I managed to break several of the services I was configuring.
Now one of the Mac OS X machines that was directly exposed to the Internet is behaving very strangely. I can no longer log into the machine either through Remote Desktop or the normal login window. (I get the shaking dialog box, as if I had entered the wrong password.) Yet I can still login through SSH just fine.
I know my way around OS X pretty well, and I don't see any unusual looking processes running. So, unless there's some kind of root kit for Mac OS X Mavericks in the world, or my Mac Mini server just chose this moment to manifest some kind of hardware problem, it seems like bringing down the firewall should get me back into the machine.
Is it safe?
Best Answer
I would err on the side of caution and wipe any server that you see odd behavior on that was exposed to the public internet in general without a logging firewall and/or some sort of tripwire or security scan set up to compare what changed since installation.
I think one of my OS X servers was compromised for the first time ever during this bash scripting vulnerability window. The time it would take me to search for a root kit is far longer than the time it took me to make one last backup and then wipe it from an external drive and start over.
In my case, I had a new user named A Lo created as a standard user. Pretty odd and very un-subtle of someone that manages to gain control of a server with a fixed IP address.
Basically, the more sophisticated black hat that has compromised your computer - the less likely you will notice it so from a reliability standpoint - if you notice instability it's likely cause the people that have compromised your server are inept or sloppy and will cause you to eventually have to reinstall.
Just to be clear, any server that's hidden behind a router with NAT is far less vulnerable than a server running live services 24/7 with a real, static IPv4 and no firewall whatsoever. People that just run OS X should have no concerns at all unless they have other reasons to think they are compromised.