[F] TidBITS / TidBITS / TidBITS Talk /

How to Protect Yourself From The New Mac OS X Trojans

[Gorrell, David]David Gorrell - 02:46pm Jun 24, 2008 PST
Guest User

OK - I thought that the "Protect from Trojans" article had a good recommendation to disable the ARD client. But when I try to input the command in Terminal it refuses to accept my Admin password (in 2 different accounts!)  So - then I guess that Root User has to be enabled, so I do that through Directory Utility and give Root User a unique password, but Terminal still refuses to authenticate.

What am I doing wrong?

  ~ David G.

IMac 24  w. 10.5.3


Mark as Read
  (older msg: 27)OutlineAll MessagesOlder MessagesOldest MessagesNewest MessagesNewer Messages

Mega Hertz - Sep 5, 2008 8:36 am (#28 Total: 30)  

Reply to this message
 

Photo of Author
Posts: 1
Re: How to Protect Yourself From The New Mac OS X Trojans

Can someone help me with this. I first found info on this trojan and tried running a few terminal commands to fix it.

I would get the 18:19:Syntax Error:No User interaction allowed. (-1713) when i would run the osascript -e 'tell app "ARDAgent" to do shell script "Whoami"'

and i run the other suggestions on the coreservices/remotemanagement folder

$ sudo defaults write /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info NSAppleScriptEnabled YES $ sudo plutil -convert xml1 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist $ sudo chmod 644 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist

so now i used just the standard finder to go to the coreservices folder. and i see a red negative symbol on the remotemanagement folder. And I do not have privileges to view this folder contents.

I am logged in as root. I am using OSX 10.3.9

can anyone tell me how to regain access to that remote management folder. I fear i am being exploited by this botnet setup. As I run a simple webserver using my old mac. And when i capture my TCPIP TCPDump packets, i see a message always stating in one of the packets, repeatedly. Saying my registry is corrupt and i should visit windowsregistryfix dot com to download a registry patch. So i am assuming my mac is sending out botneted popups to other computers.

I have otherwise locked down my mac in every other possible way. I am fairly mac savvy but really only a long term newby. MacOS7 to now, using.

any help with this would be greatly appreciated.

johnbaxterlists (apparently) - Sep 6, 2008 6:37 am (#29 Total: 30)  

Reply to this message
via email  

Photo of Author
Posts: 678
Re: How to Protect Yourself From The New Mac OS X Trojans

On Fri, Sep 5, 2008 at 8:36 AM, Mega Hertz <mysoundeditorsympatico.ca> wrote:
> So i am assuming my mac is sending out botneted popups to other computers.

Step 1 in this situation is to pull the Ethernet connection or turn
off the wireless (or both). Isolate the machine. Then fix it (which
may mean erasing the hard drive and starting over).

Hank Roberts - Sep 7, 2008 11:17 am (#30 Total: 30)  

Reply to this message
 

Photo of Author
Posts: 6
Re: How to Protect Yourself From The New Mac OS X Trojans

For those of us still using 10.3.9, would someone sum up the current best advice on avoiding, testing for, and if possible fixing this?

Is there any simple way to know the status of the machine by now?



  OutlineAll MessagesOlder MessagesOldest MessagesNewest MessagesNewer Messages


 Content:

Read New | Search

 Guest:

New User Registration | Email to Sysop | Login

 Add:

Post Message

[F] TidBITS / TidBITS / TidBITS Talk / How to Protect Yourself From The New Mac OS X Trojans




Add a message

To add a message to this discussion, you must be a registered user. Enter your email address below. If you have an account associated with the email address you enter, you will be prompted for your password. If not, you'll be able to create a new account with no fuss.

Enter your email address:

Submit