User profile for user: carlosperez8
carlosperez8 Author
User level: Level 1
9 points

Have I been hacked?

Hey there!


Just trying to get a little help over here. This morning was reading the news through my web browser, when a .zip file —2018-2019.zip— automatically downloaded to my Mac. I was stupid enough to open it. Then, without any interaction by my side, it seems that a NFS volume was mounted.



Luckily, I have installed Little Snitch on my laptop, which warning me about some processes trying to connect to the Internet:


automountd
macOS Kernel
sharedfilelistd
Finder


They all were trying to connect to 111 port at nfsdelivery.duckdns.org, that resolves to the IP address 79.154.153.156. The only one that has no code signature was macOS Kernel, owned by root.



Do I have to worry? I don't know if it's normal that a downloaded file without superuser permissions has access to all that system processes, and told them to connect to the Internet. I got in touch with Apple support, and everything seems to work well for them. They advised me to just delete the file. Should I scale this issue to someone else at Apple?


PS. I'm running macOS 10.14.5 on a mid-2012 MacBook Air.

Posted on Jun 12, 2019 2:26 AM

Reply

Similar questions

2 replies
Sort By: 
User profile for user: carlosperez8
carlosperez8 Author
User level: Level 1
9 points

Jun 12, 2019 2:36 AM in response to carlosperez8

I passed the file through VirusTotal, and no engine detects anything. This is where the .zip file downloads from. Please be aware!


https://github-production-release-asset-2e65be.s3.amazonaws.com/190018063/a77f2600-898e-11e9-9605-02bbb997091f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190612%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190612T083616Z&X-Amz-Expires=300&X-Amz-Signature=1c1fd009d89dcfa83de32ddbc123fde99bbbbd6ccafb6aab0c25d6e4845a9992&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3D2018-2019.zip&response-content-type=application%2Foctet-stream
Reply
User profile for user: dlouzan
dlouzan
User level: Level 1
9 points

Jun 13, 2019 7:21 AM in response to carlosperez8

As a reference, we have an open thread with this very same case under:

https://forums.tomsguide.com/threads/safari-downloads-random-zip-file.452077/


Also the root cause seems to be this vulnerability plus some injected code in websites:

https://9to5mac.com/2019/05/25/macos-gatekeeper-vulnerability/

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Have I been hacked?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up