JABL76MBA

Q: System hacked - found terminal application open...

I opened up one of my OS X laptops today and found a terminal window randomly opened with a ping running in the background for over 12000 lines.

 

Running a command history list this is what was outputted.  I'm pretty sure I didn't run anything when it starts looking under my Library directory?

Can any of you piece together what they were trying to do, and whether they took anything -- more importantly how can I secure my computer going forward?

I already have Firewalls and Stealth mode already on, but this happened anyway??

 

Command History:

traceroute <my old website edited out>

traceroute 205.188.91.95

traceroute 121.122.194.9

sudo rm /usr/local/mysql

sudo rm -rf /usr/local/mysql*

sudo rm -rf /Library/StartupItems/MySQLCOM

sudo rm -rf /Library/PreferencePanes/My*

sudo rm -rf ~/Library/PreferencePanes/My*

sudo rm -rf /Library/Receipts/mysql*

sudo rm -rf /Library/Receipts/MySQL*

cd /

pico etc/hostconfig

pico etc/hostconfig

cd /etc

ls

ls -al

ls -al hostconfig

chmod 777 hostconfig

su

su

sudo chmod 777 hostconfig

pico hostconfig

sudo chmod 644 hostconfig

ls -al hostconfig

exit

cd /

ls

cd Library               <---  This is where I think the rogue commands/terminal started??

ls

cd Mail

cd /

ls

cd Users

ls

cd Lumaerinor

ls

cd Library

ls

cd Mail

ls

cd V2

ls

ls -al

du -sh *

ls -al

du -sh *

cd

ls

cd Library

cd Application Support

ls

cd "Application Support"

ls

cd iCal

ls

cd iCloud

ls

cd Accounts

ls

cd <my email address edited out>

ls -al

cd ..

ls

cd ..

ls

cd ..

ls

cd Calendars

ls

ls -al

du -sh *

exit

sudo apachectl stop

man kdc

cd ~/Library/Application Support/

ls

cd

cd ~/Library/

ls

cd "Application Support"

ls

cd Firefox

ls

cd Profiles

ls

cd ..

ls

cd ..

ls

cd Mozilla

ls

cd Extensions

ls

cd {*

ls

rm *

cd 2*

ls

rm *

cd ..

ls

cd 2*

ls

clear

ls

cd chrome

ls

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd /usr/lib/

ls

ls libimckit

ls libimckit*

ls libim*

exit

ls -al /var/log/*.out

cd /var/log

ls

ls *.out

cat daily.out

ls *.out

ls -al *.out

cd ~/

ls

cd Library/Safari/Extensions

ls

ls -al

cat Extensions.plist

pico Extensions.plist

cat Extensions.plist

exit                                             <-- This is where I closed the session immediately after I found it then started scrolling commands backward and deleting ext?

cat Extensions.plist

ls libimckit*

ls libimckit* -al

ls libimckit* -a

ls libimckit* -r

ls *libimckit* -r

ls *libimckit* -R

ls *libimckit* -A

ls *libimckit* -a

ls -a

ls

cat Extensions.plist

ls -al

rm KeithyFun.safariextz          <--  I don't run any extensions in safari at all so I deleted these two

rm Searchme.safariextz

ls

ls -al

cd ..

ls

cd ..

ls

cd ..

ls

exit

finger

exit

MacBook Air (11-inch Mid 2011), OS X Yosemite (10.10)

Posted on Aug 12, 2015 1:36 PM

Close

Q: System hacked - found terminal application open...

  • All replies
  • Helpful answers

first Previous Page 3 of 3
  • by Drew Reece,

    Drew Reece Drew Reece Aug 13, 2015 6:50 PM in response to JABL76MBA
    Level 5 (7,669 points)
    Notebooks
    Aug 13, 2015 6:50 PM in response to JABL76MBA

    A reinstall will not remove any modifications. For your purpose it is pointless. You need to reset the Mac back to a clean state, reinstalling only restores the system files, everything else will remain the same.

     

    If you are concerned about keyloggers, reboot into recovery mode & use Disk Utility to clone the Mac (the restore tab will clone from one disk to another). Use an external disk.

     

    It seems unlikely that the recovery partition is modified, but it is a slim possibility. You can try using internet recovery if you do not trust your internal recovery partition hold cmd+alt+r at startup for internet recovery.

     

    Apple menu (hold alt), select System Information.

    See what OS X version you have under software.

    Also see what installations are listed, there should be several 'OS X updates' listed & many 'Security updates' too.

     

     

    Another point I forgot to mention, the length of your wifi password is irrelevant if you use poor security protocols - do you know if it is using WEP, WPA, WPA2?

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 6:53 PM in response to John Galt
    Level 1 (0 points)
    Aug 13, 2015 6:53 PM in response to John Galt

    Gotcha, thanks.  I just assumed Apple overwrote all OS files and settings to their default locked down state.  Noted for the future!

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 6:54 PM in response to Drew Reece
    Level 1 (0 points)
    Aug 13, 2015 6:54 PM in response to Drew Reece

    I use WPA2 with a 32-64 long key/password.  I highly doubt they broke in through my wifi...

     

    That other info is very useful, will use that this weekend, thanks!

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 6:57 PM in response to Drew Reece
    Level 1 (0 points)
    Aug 13, 2015 6:57 PM in response to Drew Reece

    Oh, here is my version info

     

    System Version: OS X 10.10.4 (14E46)

    Kernel Version: Darwin 14.4.0

first Previous Page 3 of 3