My iMac runs Mac OS X Yosimite 10.10.1
I accidentally had "Remote Login" enabled in my Mac's system preferences, so the sshd was running.
I just notified in Little Snitch's network monitor window, that it logged about 90 connections from different servers to sshd. I checked the ip addresses on http://ipinfo.io and all the logged ip addresses are located in China, Hong Kong and South Korea.
It seems to be pretty bad.
I looked around a little bit in the available network protocol of Little Snitch and found out, that the ip addresses appearing in the sshd log also appeared in the logs of several other processes, including
- sh
- DDService64d (apparently DDService64d is part of the Drobo Dashboard - I have a Drobo 5N installed in my LAN)
- launchd
all with user "root" (including the sshd logs). I thought user root was disabled by default on Mac OS X, but this might all be results of the hack...
So the question now is how to proceed?
- Of course I switched off "Remote Login" (sshd) on the machine.
- I disabled the root user with the "dsenableroot -d" terminal command
- I changed my admin password
I use a cable modem for internet connection (FritzBox 6360). UPnP is switched on (and I use this feature for several apps). There where several mappings to port 22. I removed all these.
But probably this won't be enough.
Since my computer definitely is compromised I don't really trust it anymore. What should I do now? Erase the whole thing and re-install all new? That would be a huge amount of time going down the drain.
And what's about the DDService64d access? Is my Drobo 5N also compromised? Is there a way to check this?
My TimeMachine backup is also saved on the Drobo 5N, so even if I decide to erase the computer and start all over again, how can I be sure, that it isn't compromised again by the TimeMachine backup on the Drobo?
Any advice?
Aucun commentaire:
Enregistrer un commentaire