Disk permissions repair but immediately change back, why?

Greetings,

There are a variety of permissions errors that will not be fixed by Disk Utility as they are considered "normal". If thats what you are seeing then don't be alarmed: http://support.apple.com/kb/TS1448

Force quiting doesn't make the computer happy although it can be necessary at times.

SafeBoot your computer and then restart again to take yourself out of SafeBoot (this will repair the drive and dump some caches for you): http://support.apple.com/kb/HT1455

If things are still acting strangely, please describe exactly what programs are not working and how they are not working.

Hope that helps.

What you are describing (failing browser and other instabilities) may (repeat may) be the "Flashback" trojan. In terminal copy paste the following lne and hit return:

defaults read ~/.MacOSX/environment

Post the results. If you see a line that specifies DYLD_INSERT_LIBRARIES then you probably do have the trojan.

Some recent articlas on this are as follows. But this trojan is changing now almost weekly so this info is already slightly out of date but at least it will give you some orientation:

Beware the Morphing Flashback Malware

Intego finds new, insidious strain of Mac Flashback Trojan horse

Here's a google search on flashback within just these apple discussions. Sample some of the more recent ones.

Note, while there are bunch of files installed with this trojan (as mentioned in those two articles I linked to above), it is believed (hoped) that all of it is dependent on that .MacOSX/environment file in your home directory. That is why you saw a stable system when you logged into another account. The initial fix would be to remove that file. But don't do anything yet. Post whether that defaults command shows anything other than a "does not exist" error message.

Intego (makers if VirusBarrier) are the ones closely tracking this trojan. See their blog for the current info on Flashback and its various strains.

Both MadisonP and X423424X are correct.

If the repair permissions procedure has completed successfully, you may ignore those messages, which will be repeated each time and do not indicate any problem.

The issues you noticed with Safari and possibly other apps are not related to permissions. You may have been infected by this latest Trojan Horse. I rather doubt it, but there is a possibility. Unfortunately, X423424X was wrong on one point -- it appears that the latest mutation no longer requires that specific file.

Copy the script below in a new document in AppleScript Editor and run it. It will place the results on the clipboard; paste them in your reply. They should show if you do have this malware or not.

--script begins

property theItems : {"defaults read ~/.MacOSX/environment", "ls -al /Applications/Safari.app/Contents/Resources/*COAA*", "java -version"}

on run

set myClip to ""

repeat with i in theItems

try

do shell scripti

set myClip to myClip & result & return & return

on error errText

set myClip to myClip & i & " -- " & errText & return & return

set myClip to result

end try

end repeat

set the clipboard tomyClip

end run

--script ends

(If you're not afraid of Terminal, you can run the commands listed above in theItems property yourself.)

I can't keep up with these strains without a "program" 😉

fane_j wrote:

Unfortunately, X423424X was wrong on one point -- it appears that the latest mutation no longer requires that specific file.

And I did verify with Intego that no other files associated with the "G" version are installed. I suppose that doesn't preclude files such as the log from being produced later on, but they are minor players in any case.

defaults read ~/.MacOSX/environment", "ls -al /Applications/Safari.app/Contents/Resources/*COAA*"

The one issue I have with that is that Intego speculates "these file names may change" which I'm sure you will recall from the "G" version.

Have you confirmed the "N" infection with any user? I found one more infected with "G" tonight, but that's it.

I'm glad someone is tracking this crap. So with the target moving apparently on a weekly basis I wish I knew the proper generic wording for a response when this subject comes up in a thread. In other words what do we tell these people without panicking them too much?

What's been happening so far is on a thread-by-thread basis. A reply is made about flashback and what to do about it (apparently somewhat out of date in this thread by me) and then a bunch of followups are posted in the thread about what to do "today" for that user to try to fix the problem. And then we go through this all over again when another thread implies the same problem.

It would be great if we could refer to some central place where the current info is documented. The intego blog IMO is not the place for most users.

Seconds after visiting the website, the address changed and I was brought to another website which made safari stop responding,

Hi

Your ISP is redirecting your browser.

Use OpenDNS for better speed, more security, it's free, and no more re directs.

Open System Preferences then select the Network tab. Click the Advanced tab then click the DNS tab.

Click +

Enter these addresses exactly as you see them here.

208.67.222.222

Click +

208.67.220.220

Then click OK and restart your Mac.

More about OpenDNS here > Topic : Manually provided DNS server addresses are higher priority than DHCP's

This issue is unrelated to disk permissions.

When you click Repair Permissions, when it's done, if you see: Permissions Repair Complete (or Permissions verification complete). That's good... These aren't "errors" you are seeing just messages by developers and have nothing to do with the browser issues you are experiencing.

other applications were not functioning properly.

How much free space on the startup disk?

Right or control click the MacintoshHD icon. Click Get Info. In the Get Info window you will see Capacity and Available. Make sure there's a minimum of 15% free disk space.

You can do a live verification of the startup disk but if it needs repairing, you will need your install disc.

Launch Disk Utility located in /Applications/Utilties

Select the startup disk on the left then select the First Aid tab.

Click: Verify Disk (not Verify Disk Permissions)

If Disk Utility reports problems, when you have access to your install disc follow the instructions for Using Disk Utility to verify or repair disks

MadMacs0 wrote:

The one issue I have with that is that Intego speculates "these file names may change" which I'm sure you will recall from the "G" version.

Yes, but what's the alternative? For lack of something better, we can use a list of files for diagnosis -- even one match confirms it; but for the cure, that's a completely different matter. Unless the malware is well understood and not evolving any more, reliance on a list of files is dangerous, because even one miss may be one miss too many.

Have you confirmed the "N" infection with any user? I found one more infected with "G" tonight, but that's it.

No, but I haven't been tracking this thing as closely as you have.

fane_j wrote:

MadMacs0 wrote:

The one issue I have with that is that Intego speculates "these file names may change" which I'm sure you will recall from the "G" version.

Yes, but what's the alternative? For lack of something better, we can use a list of files for diagnosis -- even one match confirms it; but for the cure, that's a completely different matter. Unless the malware is well understood and not evolving any more, reliance on a list of files is dangerous, because even one miss may be one miss too many.

Certainly agree with that. I have been searching for an alternative since the article came out. Since there are no normally hidden files in that directory, I thought looking for anything hidden there as being a clue, but I can't find a command that shows me only the hidden files in /Applications/Safari.app/Contents/Resources/. I keep getting more than I ask for.

Have you confirmed the "N" infection with any user? I found one more infected with "G" tonight, but that's it.

No, but I haven't been tracking this thing as closely as you have.

Actually, I don't feel that I am tracking this one at all. Could be that Intego made the whole thing up (doubtful) or that nobody has been infected as they have all turned Java off (slim chance of that). But I think the worst case is that the bad guys solved all the problems with the symptoms (alphanumeric menus, crashing Safari/Skype, etc.) and we have folks out there with no clue their ID's have been compromised. Guess we'll find out in a week or so when money starts disappearing.

One last comment on your script. When I run it, it fails to give me the results of the "java -version" command. When I use the Terminal command:

defaults read ~/.MacOSX/environment | ls -al /Applications/Safari.app/Contents/Resources/*COAA* | java -version

that works fine. Can't figure out why, but I'm just a hack when it comes to AppleScript.

MadMacs0 wrote:

One last comment on your script. When I run it, it fails to give me the results of the "java -version" command.

My mistake. Many thanks for pointing it out.

Java's output needs to be re-directed to be caught by AppleScript.

java -version

will work in Terminal but not in an AS script, while

java -version 2>&1

will work in the script, though not in Terminal

So the correct script is

--script begins

property theItems : {"defaults read ~/.MacOSX/environment", "ls -al /Applications/Safari.app/Contents/Resources/*COAA*", "java -version 2>&1"}

on run

set myClip to ""

repeat with i in theItems

try

do shell scripti

set myClip to myClip & result & return & return

on error errText

set myClip to myClip & i & " -- " & errText & return & return

set myClip to result

end try

end repeat

set the clipboard tomyClip

end run

--script ends

To run the commands in Terminal, do

defaults read ~/.MacOSX/environment;ls -al /Applications/Safari.app/Contents/Resources/*COAA*;java -version

The reason I didn't use this in the script is to make it easier to add new commands -- just add each one as a new item in theItems list.

I can't find a command that shows me only the hidden files in /Applications/Safari.app/Contents/Resources/

Either of

ls -a /Applications/Safari.app/Contents/Resources/ | grep "^\."

find /Applications/Safari.app/Contents/Resources/ -name "\.*" -depth 1

should work.

Dchan86 wrote:

...I ran the final posted script and here are the results.

tell current application

do shell script "defaults read ~/.MacOSX/environment"

--> "{

\"DYLD_INSERT_LIBRARIES\" = \"/Users/Shared/.libgmalloc.dylib\";

}"

This indicates that you have been infected by the OSX/Flashback.G Trojan described here. Since the last part of the test indicates that your Java installation is up-to-date, you must have approved the fake certificate pictured in the article.

...what actions should I take to protect my information in the meantime, while I work toward removing and repairing the problem?

Disconnect your computer from the internet, but that's similar to closing the door after the horse has escaped. Stop using network applications that require using a username/password for access (e.g. browsers & Skype).

Since we do not have complete information about everything this Trojan is capable of and the location of everything it installs, the advise of most of us has been to make sure you have all your data files backed up and using your installation disks, format your hard drive, install a clean, fully updated OS X and all applications from source, then restore only your data files from backup.

Another choice, if you have a TimeMachine backup would be to determine when you were infected and restore your hard drive to the condition it was in just prior to the infection.

Lastly you can choose to take a chance and remove the files we know about which should remove all the obvious problems you have discovered, but may not completely disable all of the Trojan's functions. Do not undertake this without guidance, as there is a good chance of locking yourself out of your account if you don't remove all the files in order.

No matter which choice you make you will need to change some passwords as the Trojan has almost certainly already harvested some of your username/password pairs and used Twitter to send them to the bad guys.

Let us know how we can be of further help.

Disregard.

Dchan86 wrote:

Thank you again for all the help. I may have made a serious mistake though, I was trying to remove the infected files mentioned in the the blogs and discussions

I give up. What part of "Do not undertake this without guidance, as there is a good chance of locking yourself out of your account if you don't remove all the files in order" did you not understand?

Well, I don't know how I can help at all now unless you tell us exactly what you have removed so far. I am also not understanding what you mean by "no icons appear." Does that mean you can see your menu bar and desktop but nothing else? Can you bring spotlight up with Command-spacebar? I think we tried having a user come up in safe mode the other day, but that didn't help.

OK, here's something that seemed to work for a couple of users:

boot in single user mode by holding down the 's' key when you start your mac. (http://support.apple.com/kb/HT1492)

After a while, you get a terminal prompt and type:

mount -uw /

rm /Users/*/.MacOSX/environment.plist

reboot

Your Mac would be ok after that, providing you're going to delete all the remaining virus files.

I'm headed off shift at this point, so if the above doesn't work and nobody else has any new ideas I'd head for the Apple Store.