JABL76MBA

Q: System hacked - found terminal application open...

I opened up one of my OS X laptops today and found a terminal window randomly opened with a ping running in the background for over 12000 lines.

 

Running a command history list this is what was outputted.  I'm pretty sure I didn't run anything when it starts looking under my Library directory?

Can any of you piece together what they were trying to do, and whether they took anything -- more importantly how can I secure my computer going forward?

I already have Firewalls and Stealth mode already on, but this happened anyway??

 

Command History:

traceroute <my old website edited out>

traceroute 205.188.91.95

traceroute 121.122.194.9

sudo rm /usr/local/mysql

sudo rm -rf /usr/local/mysql*

sudo rm -rf /Library/StartupItems/MySQLCOM

sudo rm -rf /Library/PreferencePanes/My*

sudo rm -rf ~/Library/PreferencePanes/My*

sudo rm -rf /Library/Receipts/mysql*

sudo rm -rf /Library/Receipts/MySQL*

cd /

pico etc/hostconfig

pico etc/hostconfig

cd /etc

ls

ls -al

ls -al hostconfig

chmod 777 hostconfig

su

su

sudo chmod 777 hostconfig

pico hostconfig

sudo chmod 644 hostconfig

ls -al hostconfig

exit

cd /

ls

cd Library               <---  This is where I think the rogue commands/terminal started??

ls

cd Mail

cd /

ls

cd Users

ls

cd Lumaerinor

ls

cd Library

ls

cd Mail

ls

cd V2

ls

ls -al

du -sh *

ls -al

du -sh *

cd

ls

cd Library

cd Application Support

ls

cd "Application Support"

ls

cd iCal

ls

cd iCloud

ls

cd Accounts

ls

cd <my email address edited out>

ls -al

cd ..

ls

cd ..

ls

cd ..

ls

cd Calendars

ls

ls -al

du -sh *

exit

sudo apachectl stop

man kdc

cd ~/Library/Application Support/

ls

cd

cd ~/Library/

ls

cd "Application Support"

ls

cd Firefox

ls

cd Profiles

ls

cd ..

ls

cd ..

ls

cd Mozilla

ls

cd Extensions

ls

cd {*

ls

rm *

cd 2*

ls

rm *

cd ..

ls

cd 2*

ls

clear

ls

cd chrome

ls

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd /usr/lib/

ls

ls libimckit

ls libimckit*

ls libim*

exit

ls -al /var/log/*.out

cd /var/log

ls

ls *.out

cat daily.out

ls *.out

ls -al *.out

cd ~/

ls

cd Library/Safari/Extensions

ls

ls -al

cat Extensions.plist

pico Extensions.plist

cat Extensions.plist

exit                                             <-- This is where I closed the session immediately after I found it then started scrolling commands backward and deleting ext?

cat Extensions.plist

ls libimckit*

ls libimckit* -al

ls libimckit* -a

ls libimckit* -r

ls *libimckit* -r

ls *libimckit* -R

ls *libimckit* -A

ls *libimckit* -a

ls -a

ls

cat Extensions.plist

ls -al

rm KeithyFun.safariextz          <--  I don't run any extensions in safari at all so I deleted these two

rm Searchme.safariextz

ls

ls -al

cd ..

ls

cd ..

ls

cd ..

ls

exit

finger

exit

MacBook Air (11-inch Mid 2011), OS X Yosemite (10.10)

Posted on Aug 12, 2015 1:36 PM

Close

Q: System hacked - found terminal application open...

  • All replies
  • Helpful answers

Previous Page 2 of 3 last Next
  • by Allan Eckert,

    Allan Eckert Allan Eckert Aug 13, 2015 3:52 PM in response to JABL76MBA
    Level 9 (53,732 points)
    Desktops
    Aug 13, 2015 3:52 PM in response to JABL76MBA

    How about post an EtreCheck report here?

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 4:05 PM in response to Allan Eckert
    Level 1 (0 points)
    Aug 13, 2015 4:05 PM in response to Allan Eckert

    Sure, here it is:

     

    ---

     

    Problem description:

    Checking hacked system

     

    EtreCheck version: 2.4 (136)

    Report generated 8/13/15, 4:03 PM

    Download EtreCheck from http://etresoft.com/etrecheck

     

    Click the [Click for support] links for help with non-Apple products.

    Click the [Click for details] links for more information about that line.

     

    Hardware Information: (What does this mean?)

        MacBook Air (11-inch, Mid 2011) (Technical Specifications)

        MacBook Air - model: MacBookAir4,1

        1 1.6 GHz Intel Core i5 CPU: 2-core

        2 GB RAM Not upgradeable

            BANK 0/DIMM0

                1 GB DDR3 1333 MHz ok

            BANK 1/DIMM0

                1 GB DDR3 1333 MHz ok

        Bluetooth: Old - Handoff/Airdrop2 not supported

        Wireless:  en0: 802.11 a/b/g/n

        Battery: Health = Normal - Cycle count = 240 - SN = C0112470G77DKRTA1

     

    Video Information: (What does this mean?)

        Intel HD Graphics 3000 - VRAM: 288 MB

            Color LCD 1366 x 768

     

    System Software: (What does this mean?)

        OS X 10.10 (14A389) - Time since boot: about 41 days

     

    Disk Information: (What does this mean?)

        APPLE SSD SM064C disk0 : (60.67 GB) (Solid State - TRIM: Yes)

            EFI (disk0s1) <not mounted> : 210 MB

            Recovery HD (disk0s3) <not mounted>  [Recovery]: 650 MB

            OSX - <EDITEDMYSYSTEMNAME> (disk1) /  [Startup]: 59.10 GB (497 MB free) (Low!)

                Core Storage: disk0s2 59.81 GB Online

     

    USB Information: (What does this mean?)

        Apple Inc. BRCM20702 Hub

            Apple Inc. Bluetooth USB Host Controller

        Apple Inc. Apple Internal Keyboard / Trackpad

        Apple Inc. FaceTime Camera (Built-in)

     

    Thunderbolt Information: (What does this mean?)

        Apple Inc. thunderbolt_bus

     

    Gatekeeper: (What does this mean?)

        Mac App Store and identified developers

     

    Startup Items: (What does this mean?)

        HP IO: Path: /Library/StartupItems/HP IO

        Startup items are obsolete in OS X Yosemite

     

    Problem System Launch Agents: (What does this mean?)

        [killed]    com.apple.CallHistoryPluginHelper.plist

        [killed]    com.apple.CallHistorySyncHelper.plist

        [killed]    com.apple.cmfsyncagent.plist

        [killed]    com.apple.coreservices.appleid.authentication.plist

        [killed]    com.apple.printtool.agent.plist

        [killed]    com.apple.scopedbookmarkagent.xpc.plist

        6 processes killed due to memory pressure

     

    Problem System Launch Daemons: (What does this mean?)

        [killed]    com.apple.ctkd.plist

        [killed]    com.apple.emond.aslmanager.plist

        [killed]    com.apple.findmymac.plist

        [killed]    com.apple.installd.plist

        [killed]    com.apple.nsurlsessiond.plist

        [killed]    com.apple.periodic-daily.plist

        [killed]    com.apple.periodic-monthly.plist

        [killed]    com.apple.periodic-weekly.plist

        [killed]    com.apple.softwareupdate_download_service.plist

        [killed]    com.apple.softwareupdated.plist

        [killed]    com.apple.tccd.system.plist

        [killed]    com.apple.wdhelper.plist

        12 processes killed due to memory pressure

     

    Launch Daemons: (What does this mean?)

        [loaded]    com.adobe.fpsaud.plist [Click for support]

     

    User Launch Agents: (What does this mean?)

        [loaded]    com.bittorrent.BitTorrent.plist [Click for support]

        [running]    com.iobit.MacBoosterMini.plist [Click for support]

     

    User Login Items: (What does this mean?)

        RealPlayer Cloud    Application  (/Applications/RealPlayer Cloud.app)

        iTunesHelper    Application Hidden (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

        BitTorrent    Application  (/Applications/BitTorrent.app)

        HPEventHandler    UNKNOWN  (missing value)

        HP Scheduler    Application  (/Library/Application Support/Hewlett-Packard/Software Update/HP Scheduler.app)

     

    Internet Plug-ins: (What does this mean?)

        Flip4Mac WMV Plugin: Version: 3.2.0.16   - SDK 10.8 [Click for support]

        FlashPlayer-10.6: Version: 18.0.0.232 - SDK 10.6 [Click for support]

        QuickTime Plugin: Version: 7.7.3

        Flash Player: Version: 18.0.0.232 - SDK 10.6 [Click for support]

        Default Browser: Version: 600 - SDK 10.10

        Silverlight: Version: 5.1.30514.0 - SDK 10.6 [Click for support]

        JavaAppletPlugin: Version: 15.0.0 - SDK 10.10 Check version

     

    User internet Plug-ins: (What does this mean?)

        WebEx64: Version: 1.0 - SDK 10.6 [Click for support]

     

    3rd Party Preference Panes: (What does this mean?)

        Flash Player  [Click for support]

        Flip4Mac WMV  [Click for support]

     

    Time Machine: (What does this mean?)

        Time Machine not configured!

     

    Top Processes by CPU: (What does this mean?)

            11%    com.apple.WebKit.WebContent(21)

             9%    WindowServer

             6%    com.apple.preferences.sharing.remoteservice

             6%    com.apple.WebKit.Plugin.64(2)

             3%    hidd

     

    Top Processes by Memory: (What does this mean?)

        412 MB    kernel_task

        266 MB    com.apple.WebKit.WebContent(21)

        37 MB    WindowServer

        27 MB    firefox

        27 MB    VTDecoderXPCService(4)

     

    Virtual Memory Information: (What does this mean?)

        74 MB    Free RAM

        1.93 GB    Used RAM (174 MB Cached)

        2.61 GB    Swap Used

     

    Diagnostics Information: (What does this mean?)

        Aug 11, 2015, 03:18:57 PM    ~/Library/Logs/DiagnosticReports/com.apple.WebKit.Plugin.64_2015-08-11-151857_[ redacted].crash

  • by Allan Eckert,

    Allan Eckert Allan Eckert Aug 13, 2015 4:32 PM in response to JABL76MBA
    Level 9 (53,732 points)
    Desktops
    Aug 13, 2015 4:32 PM in response to JABL76MBA

    497 MB of free disk space is nowhere near enough to safely run OS X. You need to start doing some serious work of moving or deleting files to free up space. Backup first.

     

    While 2 GB is the minimum to install Yosemite. All it can do is run Yosemite. In order to do anything on that Mac you need more RAM. Since RAM is not upgradable on that Mac, it should be replaced with one that can have a larger amount of RAM installed.

     

    As a work around for the lack of RAM, I suggest you reboot the Mac daily. Certainly whatever you do don't allow it to run for 40 some odd days without rebooting.

     

    I also suggest that you get rid of BitTorrent. This could be the source of many of your problems that are not be caused by insufficient RAM and free disk space.

     

    When you get the external disk drive to move files to, get a second one so that you can implement Time Machine.

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 4:28 PM in response to Allan Eckert
    Level 1 (0 points)
    Aug 13, 2015 4:28 PM in response to Allan Eckert

    I had 2GB free but am not sure if it was filled up at the same time intruder transferred over KeithyFun since I don't use extensions.

     

    Yosemite runs fine as far as I'm concerned, this isn't my performance box, just my travel/work box.

  • by Allan Eckert,

    Allan Eckert Allan Eckert Aug 13, 2015 4:35 PM in response to JABL76MBA
    Level 9 (53,732 points)
    Desktops
    Aug 13, 2015 4:35 PM in response to JABL76MBA

    2 GB is not much better. You need like 5 or 6 times that much free for OS X to run properly.

     

    I suspect your intruder is entering your Mac via BitTorrent. Uninstall it and see your Mac runs better.

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 4:40 PM in response to Allan Eckert
    Level 1 (0 points)
    Aug 13, 2015 4:40 PM in response to Allan Eckert

    Well, here's the thing, just uninstalled it, but that doesn't necessarily patch the system right?  Unless the person only gets in while the app is open.  I removed the startup tool it installed also, didn't know it did that.

  • by OSX Enthusiast,

    OSX Enthusiast OSX Enthusiast Aug 13, 2015 5:53 PM in response to JABL76MBA
    Level 2 (176 points)
    Aug 13, 2015 5:53 PM in response to JABL76MBA

    Do you have Remote Login enabled? Try disabling it in the Sharing section of the System Preferences.

  • by John Galt,

    John Galt John Galt Aug 13, 2015 6:07 PM in response to JABL76MBA
    Level 8 (49,576 points)
    Mac OS X
    Aug 13, 2015 6:07 PM in response to JABL76MBA

    JABL76MBA wrote:

     

    Well, here's the thing, just uninstalled it, but that doesn't necessarily patch the system right?


    Right.

     

    Having hosted a torrent client, that Mac is a candidate for an erase and reinstall. To erase and install Yosemite read: OS X Yosemite: Erase and reinstall OS X. EtreCheck was not designed to detect what may be causing this.

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 6:19 PM in response to OSX Enthusiast
    Level 1 (0 points)
    Aug 13, 2015 6:19 PM in response to OSX Enthusiast

    No, no remote login, only file sharing, but that is blocked by default by Firewall/Stealth mode being enabled.

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 6:21 PM in response to John Galt
    Level 1 (0 points)
    Aug 13, 2015 6:21 PM in response to John Galt

    Yeah, I thought so, already planning to do that this weekend. 

    Is the full erase necessary though, or will simply reinstalling OS X do it? 

     

    Thanks!

  • by Drew Reece,

    Drew Reece Drew Reece Aug 13, 2015 6:23 PM in response to JABL76MBA
    Level 5 (7,669 points)
    Notebooks
    Aug 13, 2015 6:23 PM in response to JABL76MBA

    You use iCloud? Do you have Back To My Mac enabled?

    Have you had new any notifications from Apple about access to your account?

     

    I would review your Apple ID settings & any other online accounts. Apples 2 step authentication will notify you of new access if you have the settings enabled, I'm not sure if you can enable it without 2 step enabled.

     

    It seems odd to me that an attacker would read the kdc manual during their attack?

     

    I'm not sure about iObits Macbooster. I don't trust apps that 'clean memory'.

     

    Does anyone else know what this process is…

             6%    com.apple.preferences.sharing.remoteservice

    It seems like it is part of the remote access prefs pane?

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 6:29 PM in response to Drew Reece
    Level 1 (0 points)
    Aug 13, 2015 6:29 PM in response to Drew Reece

    Thanks for your reply -- yes, I use iCloud and 2 factor already.  No, I never use Back to My Mac, but I do use/enable Find my iPhone/Apple Device in case it's stolen.

     

    Oh, and no, I don't have remote anything enabled.  I never do that.

     

    No new notifications about access points.  Only thing vulnerable was my Steam account where someone tried to access it almost two weeks ago.  At the time I thought it was an isolated incident related to the password exposure they have.  Now I'm not sure if these two incidents are related.

     

    Yeah, deleted MacBooster when I deleted Torrent as they both were installed together even if I never used the boost.  Ironically, it wouldn't let me delete unless I upgraded the software, so I deleted it manually.  Am leaning toward thinking that the torrent probably was the cause based on that behavior.

  • by Drew Reece,

    Drew Reece Drew Reece Aug 13, 2015 6:34 PM in response to Drew Reece
    Level 5 (7,669 points)
    Notebooks
    Aug 13, 2015 6:34 PM in response to Drew Reece

    Are you really running 10.10? You haven't applied any OS updates to this Mac at all?

     

    There may be known issues with 10.10 that could be used to gain access.

     

    Backup, erase, reinstall, apply all updates then think about moving the important files back would be my approach. It's not clear what has occurred here, but it seems suspicious to me.

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 6:36 PM in response to Drew Reece
    Level 1 (0 points)
    Aug 13, 2015 6:36 PM in response to Drew Reece

    No, I've installed a security patch or two I think, but it doesn't show that under System Information when I pulled it.  Not sure why not...

     

    I'm leary of opening a file server on my network to transfer files to backup incase they installed a key logger which is the only reason why I'd rather just reinstall vs erase and reinstall.

  • by John Galt,

    John Galt John Galt Aug 13, 2015 6:43 PM in response to JABL76MBA
    Level 8 (49,576 points)
    Mac OS X
    Aug 13, 2015 6:43 PM in response to JABL76MBA

    ... or will simply reinstalling OS X do it?


    No. Apple has always taken a very conservative approach to "reinstallation" in that it does not remove system-altering components. In this case it will almost certainly be a waste of time.

     

    The first thing to do is to back up your existing system, as stated in that Support document: "Before you erase, back up your essential files."

Previous Page 2 of 3 last Next