Has my machine been *owned*??

[MBennett]

I just bought a Dual 1.8 Ghz G5 on Ebay, and I think it may be set up as some kind of file server or at the very least be allowing access to other users. I do graphic design, so I've been working on Mac since system 8, but I've never owned one, so I haven't had much time to explore the system.

The guy I bought it from sent the machine with the original OS 10.3 disks and it had a fresh install of OS 10.4 on it. From day one System 9 (Classic) was nowhere to be found on the machine. I did what I, being new to the system, thought you should do to secure the machine, but shortly after I started using it, odd things began happening. Shareware programs I had installed would just disappear, my desktop views wouldn't cooperate, system preferences would mysteriously revert after I closed the window.

It gets stranger than that, but I would hate to sound like a conspiracy theorist on my first post. Bottom line is that today, I booted from a system disk and logged in under single user mode to try to make some sense of the directory, and when I went to the "Change Password" drop down, there were suddenly there were 13 hidden root users. Their user names were all names of programs I had installed, so I'm not sure if that is normal, or if that is just how they gained root. I changed all the passwords, and looked around some more, and now here I am.

I would love to get back to a nice, simple, secure install of OS 10.4, but I'm not sure where to start. I've reinstalled a few times already, with no luck. I would love some help, I am just not sure what information would best help in the diagnosis. Let me know what to post and I will. Thanks.

**Edit: Sorry, I just saw the "Read before you post" thread. I have run permissions and verified my disk numerous times. I have Tech Tool Pro 4 and a brand new Disk Warrior, which I have also run several times along with the Apple Disk Utility. My machine is attached to a monitor, a usb2 external hard drive, some speakers and the internet.This has been going on since I got the machine on the 8th of February, and just yesterday my dsl modem went out (for reasons unrelated to the somputer), and I bought a new one with a hardware firewall system, which I haven't configured totally yet. If anything else will help, let me know. Thanks.

[nixgeek]

Your best bet at this point would be to backup the files that you placed into that Mac (not apps, but documents or any other files that you've created) and reinstall OS X. It might not be Tiger, but at least you have the system discs in order to install Panther (which is plenty good enough....the only major thing you'll be missing is Spotlight and Dashboard, if you can even call those major). Be sure to format the drive that way there is nothing remaining from the previous owner. This should bring your system back to normal.

[powermac]

Always good to do a clean install if you buy second hand.

[fryke]

Yep, I'd never use a system installed by someone who owned the machine previously... You're just _never_ sure what they've done.

[MBennett]

Let me go ahead and expand the information a little bit. I got the machine with the "fresh" install, and used it for about a week when I started to notice the oddities. I was planning on getting a new drive for it the whole time, I just hadn't been able to get it yet. Anyway, I tried resetting the pram and the open firmware, powering down the machine. I've run Tech Tool Pro 4, Disk Warrior 3, and any number of utilities to try to coax out some information. When I finally got my new hard drive, I wiped the old one, physically took it out of the machine, powered it down, started back up from cd, reset the pram, open firmware and the reset-all in open firmware. I even reset the pmu. I installed my new drive straight out of the wrapper, booted up from my OS 10.4 disk, and installed my OS. By that night, it was back.
Like I said, I don't want to seem paranoid, especially because I don't know the in's and out's of the Mac file system, but there are a few things that I have seen that are a little different from the examples I see on the internet. The open firmware seems to have a different structure than is shown in most tutorials, and the hard drive structure seems to be different as well. I'm not sure if it is possible that a directory structure has been written into some type of memory somewhere or something. Another oddity is that my battery just died.
The thing is, with physical access to a machine, anything is possible. Could they have set up the drive, stored a directory in memory and altered the power settings to go into sleep instead of shut down to retain the structure? The extra power draw would explain a dead battery. Anyhow, I appreciate any thoughts and if I can explain any further, let me know.

[BGprinting]

Wow lots going on here. I will just address a few, when you formated your drive you should have selected HFS+ also i am not saying it doesnt work but I never run or install classic on a machine running os x so I would deselect the load sys9 drivers when formatting the disk. As far security goes you can download the SNAC documentation from many internet sites it pretty much covers security issues and setups for consumers all the way up to medical and government class security levels. Also check apple site for those batterys I have already bought a few machines that had the recalled batterys. Also try removing any added ram see if anything changes. FYI disk warrior I like it

[powermac]

Okay, sorry for the mix up. Sounds to me you have tried everything I would. Unless there is something wrong with the hardware. You came to the right site for help.

[perfessor101]

The multiple "hidden users" associated with apps you have installed is completely normal OS X/Unix operation. Many applications install and use their own "user" in the system to handle functions regardless of which particular user is actually logged on.

Without knowing what those 13 applications are I would also say that it is not unusual for them to take advantage of the user being idle and grabbing some system resources to go do their thing. You have already mentioned TechTool Pro and its various protection features do just that. Anti-virus applications are another user of resources during slack user time. There is nothing unusual in any of that.

Open Firmware is written in Forth which is a world all unto itself. I have written some code in Forth and it was a lot of fun to work with even if it does give conventional programmers a headache trying to comprehend. Unless you are an expert Forth programmer, and maybe not even then, you really can't tell that much about the organization of the Open Firmware. Since you are running OS X 10.4, it is safe to assume the drive is formatted Mac OS Extended (a.k.a. HFS+) so when you talk about the volume structure, I presume you are referring to the structure outlined in Apple Developer Technote TN1150 and if so congratulations on having the patience to wade through that Technote. However, it should be pointed out that OS X 10.4 modifies that structure somewhat to accommodate Spotlight which is why versions of Disk Utility and fsck prior to those that shipped with Tiger will actually damage the volume structure beyond repair if Tiger has been used on the volume.

NOTE: For more information on Open Firmware the best place to start is Openfirmware.org/ and FIG (Forth Interest Group) is the best source of information on the Forth programming language. FIG actually owns the Forth language standard, but using standard and Forth in the same sentence is a contradiction in terms.

It is extremely unlikely that anyone could have left a trojan behind that would survive erasing the drive. It would either have to be in a separate partition/volume or embedded in the Mac firmware. Just because you are paranoid doesn't mean someone is not out to get you, but in this case I think you are just paranoid and no one is out to get you. If however, the seller on eBay was aware that you are doing Top Secret research for the National Security Agency or the Department of Defense and are receiving hundreds of thousands of dollars for capturing your data then all bets are off.