Q: System hacked - found terminal application open...
I opened up one of my OS X laptops today and found a terminal window randomly opened with a ping running in the background for over 12000 lines.
Running a command history list this is what was outputted. I'm pretty sure I didn't run anything when it starts looking under my Library directory?
Can any of you piece together what they were trying to do, and whether they took anything -- more importantly how can I secure my computer going forward?
I already have Firewalls and Stealth mode already on, but this happened anyway??
Command History:
traceroute <my old website edited out>
traceroute 205.188.91.95
traceroute 121.122.194.9
sudo rm /usr/local/mysql
sudo rm -rf /usr/local/mysql*
sudo rm -rf /Library/StartupItems/MySQLCOM
sudo rm -rf /Library/PreferencePanes/My*
sudo rm -rf ~/Library/PreferencePanes/My*
sudo rm -rf /Library/Receipts/mysql*
sudo rm -rf /Library/Receipts/MySQL*
cd /
pico etc/hostconfig
pico etc/hostconfig
cd /etc
ls
ls -al
ls -al hostconfig
chmod 777 hostconfig
su
su
sudo chmod 777 hostconfig
pico hostconfig
sudo chmod 644 hostconfig
ls -al hostconfig
exit
cd /
ls
cd Library <--- This is where I think the rogue commands/terminal started??
ls
cd Mail
cd /
ls
cd Users
ls
cd Lumaerinor
ls
cd Library
ls
cd Mail
ls
cd V2
ls
ls -al
du -sh *
ls -al
du -sh *
cd
ls
cd Library
cd Application Support
ls
cd "Application Support"
ls
cd iCal
ls
cd iCloud
ls
cd Accounts
ls
cd <my email address edited out>
ls -al
cd ..
ls
cd ..
ls
cd ..
ls
cd Calendars
ls
ls -al
du -sh *
exit
sudo apachectl stop
man kdc
cd ~/Library/Application Support/
ls
cd
cd ~/Library/
ls
cd "Application Support"
ls
cd Firefox
ls
cd Profiles
ls
cd ..
ls
cd ..
ls
cd Mozilla
ls
cd Extensions
ls
cd {*
ls
rm *
cd 2*
ls
rm *
cd ..
ls
cd 2*
ls
clear
ls
cd chrome
ls
ls
cd ..
ls
cd ..
ls
cd ..
ls
cd ..
ls
cd ..
ls
cd /usr/lib/
ls
ls libimckit
ls libimckit*
ls libim*
exit
ls -al /var/log/*.out
cd /var/log
ls
ls *.out
cat daily.out
ls *.out
ls -al *.out
cd ~/
ls
cd Library/Safari/Extensions
ls
ls -al
cat Extensions.plist
pico Extensions.plist
cat Extensions.plist
exit <-- This is where I closed the session immediately after I found it then started scrolling commands backward and deleting ext?
cat Extensions.plist
ls libimckit*
ls libimckit* -al
ls libimckit* -a
ls libimckit* -r
ls *libimckit* -r
ls *libimckit* -R
ls *libimckit* -A
ls *libimckit* -a
ls -a
ls
cat Extensions.plist
ls -al
rm KeithyFun.safariextz <-- I don't run any extensions in safari at all so I deleted these two
rm Searchme.safariextz
ls
ls -al
cd ..
ls
cd ..
ls
cd ..
ls
exit
finger
exit
MacBook Air (11-inch Mid 2011), OS X Yosemite (10.10)
Posted on Aug 12, 2015 1:36 PM