GSR-IconBannerAd_v1d

Security Advisories

Trustwave Press Releases

« Oops, I pwned your router- Part One | Main | Wham Bam, the Cutwail/Blackhole Combo »

02 July 2012

Comments

Alright so I have got everything done correctly to the tee, except I cannot seem to get the prey.sh to become executable. I know there is nothing wrong with my script, because If I manually copy and paste the contents of my prey.sh file into terminal and run it, it works i.e. my computer goes from being "okay" to "stolen" on prey's server automatically without even logging in. (which in of itself is pretty cool btw). So the issue isn't with the device ID or API key; clearly I have got that part right. I just can't get it to do it by itself on startup. I suspect I have yet to properly make my prey.sh script executable. I have tried both "chmod x+" and "chmod 755", and neither works. Let me ask you this, should "prey.sh" turn into a black "Unix Executable" file when properly made "executable" like all the other files in the /usr/bin directory? Because even after applying chmod to it, it still shows as a text file (white icon).

James,

Sorry, I did miss those comments. Yes, after installing OS X, I removed a whole bunch of language/printer and other items. I don't remember the exact programs I used, but I'm sure you can find them, they were pretty easy to find. After that I was able to shrink the partition some more.

Sorry to repost this question, but I don't think you saw I asked it.How did you get your trap partition down to 7GB? For me it seems that OS X's install takes up 15GB minimum. Did you go through and selectively delete some unnecessary native files and folders that take up space? For example, deleting all of the "voices" could save some space. Is this the approach you took?

Jaku how did you get your trap partition down to 7GB? For me it seems that OS X's install takes up 15GB minimum. Did you go through and selectively delete some native files and folders that take up space?

When you resize your trap partition, I end up with an un-reclaimable "gap" at the very end of the partition scheme i.e. the free space gained from reducing the size of the trap partition is unable to be consolidated with my main partition. I suppose this makes sense since you cannot change where a partition begins, only where it ends, correct? If so, wouldn't that make resizing the partition pointless?

Thank you jaku! :-)

James,

If you type "chmod +x /usr/bin/prey.sh" without quotes and if that is the path you put the prey.sh file, then that will make it executable.

Everything was going fine following this guide until I got to the bit about the "prey.sh" file, in particular, "make sure the script is executable" without explanation. wtf? Please help!

Hi,
Thanks for the posting. Very interesting.

Two questions:

1) Why do you add specific scripts for Prey? If you have installed the product won't these already be installed and working? What do these add to a normal installation?

2) When you boot normally into the 'trap' partition you still see an attempt to mount the other partition and if using FV2 you see the password request. Is there an easy way to prevent this automount of the second 'secure' partition when booting into the 'trap' partition?
Thanks
Paul

Nice posting. Two questions if I may:

1) Why do you need the extra Prey scripts if you have installed the Prey product? Doesn't that already include all you need? What extra do your scripts do?

2) Is there are way of not trying to automount the second (working or 'real') partition? Otherwise when you boot of the 'trap' partition you are asked for the password for the second partition?

Thanks
Paul

Kenshin,

Thanks for going though the guide and letting me know what did and did not work.

1. Thanks, I did this on my new MacBook Air 2012 and was able to use the Apple tool. Which I didn't realize only worked on the newer ones.

2. I'll change the guide to make sure people set a password on that account first.

3. You could have better luck using the command line. If you type "diskutil list" it will show your partitions. From there if your trap partition was "disk0s4", you can type "diskutil resizeVolume disk0s4 -5gb" and reduce the size by 5gb. I've gotten mine down to just around 7gb. You may have issues if you already encrypted your main partition.

4. Thanks. I could of sworn it didn't need the .plist in the command but I confirmed that it does indeed need the full filename.

Thanks again!

Great i got it all working now. Fyi some minor stuff i noticed:

#1. The recovery disk assistent didn't work for me (Macbook Air late 2011 https://dl.dropbox.com/u/72498/Screen%20Shot%202012-07-04%20at%207.18.08%20PM.png).
I think it doesn't have a recovery partition. So i used this guide to create a bootable usb: http://www.tuaw.com/2011/08/11/build-your-own-lion-install-usb-thumb-drive-for-cheap

#2. In the script where it says to use "sudo" i got an error. This was because the account didnt have a password set. "sudo" only works for accounts with a password...

#3. I can't shrink the newly created partition. It says "this partition can't be modified": https://dl.dropbox.com/u/72498/Screen%20Shot%202012-07-04%20at%2011.11.44%20PM.png
No idea why.

#4. Small typo: ...register the LaunchDaemon with this command "launchctl load /Library/LaunchDaemons/com.jaku.prey" should be: "launchctl load /Library/LaunchDaemons/com.jaku.prey.plist"


Thanks again for the guide Jaku :-)

Kenshin,

That is odd, it should allow you to remove a user if you're logged in like that. You can delete the old user using a similar command to the way you created your hidden account.

dscl . delete /groups/admin GroupMembership ORIGINAL_ADMIN
dscl . delete /groups/ORIGINAL_ADMIN GroupMembership ORIGINAL_ADMIN
dscl . delete /users/ORIGINAL_ADMIN

Make sure you are running in root on terminal by first running "su HIDDEN_ADMIN" and then "sudo su".

Fast reply, thanks!!

Now another problem; i'm logged in as the normal user ("Apple"), i click the lock icon in the "Users & Groups" window, then enter the hidden admin username & password.
So far so good, but when i select the original Administrator account, the "delete the selected user account" button is disabled. So i can't delete it...

Kenshin,

You're right a step was missing. Run this command to add your user to the Administrator group.

dscl . append /Groups/admin GroupMembership YOUR_USER_NAME

I'll get this updated in the actually post soon. Thanks for letting me know!

Hi there, thanks for the guide!

I just followed the steps but i've run into a problem; After executing the terminal commands to create the hidden user it says:

"...and then use your hidden account username and password to remove your original Administrator account..."

This is not possible, because i can't login with my hidden account. I think the hidden account is no Admin (not a member of the admin group).
Is this a problem in the script?

Cheers :-)

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment